Looking for:
Download cisco secure acs 3.3 for windows
For this release, the versioning information is Cisco Secure ACS , Appliance Management Software , and Appliance Base Image ( – The Cisco Secure ACS for Windows has been retired and is no longer supported. CSUtil Database Utility This appendix details the Cisco Secure Access Control Server (ACS) for Windows Server command-line utility, replace.me Among its.❿
Download cisco secure acs 3.3 for windows.Table Of Contents
Use the CLI show command output command or the Appliance Upgrade status page to confirm the current version in use. All white papers are available on Cisco.
❿
Cisco Secure Access Control Server for Windows – Download cisco secure acs 3.3 for windows
If a page of the Disabled Accounts report has users who belong to groups that the administrator cannot access, the report doesn’t allow the administrator to move to the next page of the report. If a user account is configured to be assigned a group by the group mapping feature, the user account appears on the Disabled Accounts report even though the administrator only has access to specific groups. Workaround: Access the Disabled Accounts report with an administrative account that has permission to access all groups.
Document states, this code “resets a Group User record back to its original factory defaults. In a scheduled replication scheme, a secondary server incorrectly records an error in the replication log when scheduled replication does not occur because no changes have occurred on the primary server. For example, this can occur when the primary and secondary servers are only configured to replicate the user database and network configuration, and then a change is made to Network Configuration on the primary server but no change is made in the user database.
At the next scheduled replication, the primary server correctly sends only the network configuration, but the secondary logs an error message that the user database was not received. This is not an error and the message should not be logged.
This causes the downloadable ACLs to fail to download and, as a result, the user to whom the ACLs were to be applied fails to authenticate. Workaround: It’s a read-only. No other workaround at this time until bug is fixed. When replication occurs between two Cisco Secure ACSs in slow link k , the services of the primary ACS are restarted after the time out that is configured on the CiscoSecure Database Replication page is expired and replication was not completed.
The services that restart are:. In case of SPC component that was created by MC-based applications, the “Name” field is not limited to 31 chars, and allows entering many more, also returning an error message to the user.
The following pattern of errors is received:. If name is between 28 and 34 chars – “Internal Error, Failed to locate or create record for update” message appears. If name is more then 34 chars – “Name is invalid or contains illegal characters” message appears. The message queue was added to CSAuth for message storage and dedicated thread which actually log the messages from the queue.
The navigation bar button bar on the left in the HTML interface may disappear after the following sequence:. Click an “Issuer Friendly Name”. Click Cancel three times, which returns you to the System Configuration page.
Click Global Authenticate Setup. Click Cancel. The navigation bar disappears. Using Netscape Communicator 7. Workaround: Use a different supported browser. When more than one network admission control NAC attribute also known as a credential has the same application type ID but the application names are different, Cisco Secure ACS always displays the application name associated with the lowest vendor ID.
This problem is not obvious at first because the default attributes in Cisco Secure ACS that have the same application ID but different vendor IDs coincidentally do use the same application name. The problem arises when you add attributes that use a different application name but an application ID that is used by other attributes. Instead, only HTTP was used. If you delete a NAC policy while it was assigned to NAC databases and then create a new policy with the same name, ACS automatically assigns the newly created policy to the databases that the deleted policy was assigned to.
An example scenario:. Customer creates a new policy named ‘policy1’. Workaround: Use unique names for policies and never reuse them. Also, before you delete a policy, remove it from all NAC databases except the one database you use to access the policy when you delete it.
This is wrong. Also, the following information is missing from the user guide and online documentation:. NAC databases are not replicated, just as any external user database configurations are not replicated, but local and external NAC policies are replicated; therefore, to ensure that replicated policies are associated with the correct NAC databases on secondary ACSs, you must take the following steps on each secondary ACS that receives replicated NAC policies:.
In each NAC database, define same mandatory credentials. When replication occurs, the NAC database configurations on the secondary are not affected, including how policies are assigned to them, but the contents of the policies are updated to reflect any changes on the primary ACS. Replication succeeded.
Therefore when more than six operations write to the Microsoft registry, a failure may occur. Refer to the field notices on Cisco. The regexp code was not multi-thread safe. The problem has been fixed. It is hard to reproduce the problem. However, probability of its occurrence grows with number of concurrent TACACS authorization requests for commands which arguments defined using regular expression syntax.
Users that upgraded to version 3. Symptom : An ACS server may fail an authentication attempt but log the attempt as successful. Conditions : If one ACS server is configured to log remotely the passed authentications to another acs server AND that remote acs server is available, everything functions as expected. If the remote acs server is not avail link down the user will be notified authentication failed i.
Workaround : To restore service you need to do one of the following: bring the link back up on remote ACS or turn off remote logging on local ACS. This will be fixed in the next release. This behavior sometimes occurs sometimes of various browsers and java plug-in configurations. SNMP ‘get’ and ‘get-next’ requests for host. When using prefix characters with “. Microsoft Windows cannot understand the path later. Symptom: Appliance Status Page shows always high CPU, which is inconsistent with the output of the ‘Status’ page and the information within the ‘package.
Workaround: Stop RA before performing an uninstall. The NAC attributes disappear on the appliance after upgrading to 3. Workaround is to add them manually after the upgrade. No workaround. Workaround is to restart from the services control to update the changes. When restoring the database from the software version to an appliance the restore removes the default proxy entry appliance itself from the proxy table.
Workaround : Use the backup from the appliance version or add the default proxy entry manually. This feature is available, but is documented in the following location:. There are some errors in csauth. This is a Microsoft bug. Refer to Microsoft documentation in order to generate certificates with exportable private keys. When configuring a long list of permitted IP addresses Accept SNMP packets from selected hosts , the administration session times out after submitting the list.
Work around : Do not enter more then 10 IPs. Worst case, if more are configured, the system will accept it but the user will have to start a new admin session. Cisco-PEAP client that has to change passwords at next logon and enters the same password, does not get any error from fail-attempts log in ACS. Various problems occur. Conditions : The target folder on the replication slave machine already exists.
Use of a javascript tokens in the CRL description causes the current admin session to close. Note Bug summaries in Table 6 through Table 8 are printed word-for-word as they appear in our bug tracking system. When a username is different from a pre-Windows name and the supplicant sends the user name without a domain name, the CSAuth service does not break.
Not every packet being transmitted will be affected. Given that TCP will retransmit any unacknowledged packet, the system will recover. There may be excessive logging of the error message within the network. Workaround A temporary workaround is to reload the server; while the problem is transient, it will likely return within days or weeks.
The fix is integrated into the Base Image version 3. Use the CLI show command output command or the Appliance Upgrade status page to confirm the current version in use. Authorized users can no longer retrieve arbitrary files via the web interface.
When usage quota is turned on for default group radius service exception no longer appears. Symptom : If a replication process takes more than 5 minutes to complete, another replication process begins immediately before the first one ends.
The outbound source machine sends another replication to the inbound destination machine; but, since the first replication hasn’t finished yet, the second one is aborted. Additionally, by the time the second replication is aborted, the first replication has also finished successfully. This means that both the failed and the successful replications try to start the services. Some error messages might appear regarding services which cannot be started, for instance: “Service CSLog failed to start.
These messages do not take into account a situation where the service is not running, but is actually being started. Conditions : This happens when the inbound machine is running on a Server or Advanced Server, which might cause replication to take more than 5 minutes. The outbound machine’s OS is irrelevant. Workaround : This problem is related to the error messages that appears while the second replication is rightfully aborted. No real error condition was found, and since there is no known workaround for this, the only thing to do is ignore the error messages themselves.
CRL download no longer fails in certain CA environments. Information has been added to the release notes to clarify that you cannot back up, restore, replicate information, or log in remotely when using different versions of Cisco Secure ACS. ACS is doing these as the actual character instead of the ascii.
This is resolved. If for any reason you would like one of the LDAP configurations, to work with the old format not comply to RFC , go to the registry entry of the specific configuration and change the variable EncodeFilter to zero. During machine authentication, supplicant doesn’t expect the retriable errors, so when machine authentication fails, ACS immediately rejects the attempt and updates the log.
Conditions: This only shows with ACS version 3. This problem has been resolved by updates to the CRL graphical user interface. The default status is Not in Use. Reimaging with 3. The Cisco stopped shipping in January Those illustrations are of the Cisco If username does not includes domain name and AD initated password change procedure by it’s policy, user now receives password change dialog.
When using the external Windows and other type of external database, the changed password will no longer fail. The Restore button works correctly when you use the supported Netscape browser and Solaris operating system. The AAA Server table entry for the appliance is created appropriately during installation and initial configuration of the appliance.
The self-referential AAA Servers table entry is not deleted during a database restoration. The Login prompt no longer appears when it should not during appliance upgrade using the console.
The appliance host name appears in the Proxy Distribution Table and the Synchronization Partners table. Upgrade via the HTML interface operates correctly when the console is in use. The results of the new console command ntpsync are also logged here.
The ” Default ” entry in the Proxy Distribution Table is restored correctly. Names of shared profile components allow the correct number of valid characters. Replication timeout is configurable, allowing you to account for replication over slow connections. Documentation reflects the limitations of group mapping for users authenticated by Windows user databases. For enabling the per-user command authorization, an additional value “per user” was added for V1 field in action code Administrator permissions correctly grant or deny administrators access to the User Password Changes report.
Unregistering and reregistering a management center application with Cisco Secure ACS causes the role-based settings for that application to be reset to default settings in Cisco Secure ACS. Cisco documentation and additional literature are available on Cisco.
Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. You can submit comments by using the response card if present behind the front cover of your document or by writing to the following address:. For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides hour-a-day, award-winning technical assistance.
If you do not hold a valid Cisco service contract, contact your reseller. The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
The website is available 24 hours a day, days a year at this URL:. If you have a valid service contract but do not have a user ID or password, you can register at this URL:. To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 S1 —Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 S2 —Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 S3 —Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 S4 —You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information. If your issue is not resolved by using the recommended resources, your service request will be assigned to a Cisco TAC engineer.
S1 or S2 service requests are those in which your production network is down or severely degraded. Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. New and experienced users will benefit from these publications. Each quarter, Packet delivers coverage of the latest industry trends, technological breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources.
You can access Packet at this URL:. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
You can view current offerings at this URL:. Table 1 Product Documentation Document Title. Table 2 Related Documentation Document Title. Caution Backup and restore are supported and tested only when done on the same version. For example, back up on 3. Application Versions. Do not use the recovery CD for Cisco devices on a Cisco device; likewise, do not use the recovery CD for Cisco devices on a Cisco device.
Contacts Feedback Help Site Map. On Cisco. Cisco – 3. Solaris Netscape 7. Logged In User not showing after going into enable mode on router. Workaround: None. Log into the CiscoWorks desktop with admin privileges. Log out of CiscoWorks. Group mapping ordering applet is not properly ordered. Uninstalling Win Remote Agent when uninstall terminates unexpected. Unable to edit some of the disabled accounts. CSAdmin stops responding when editing Java using Netscape.
Action Code does not return group settings to factory defaults. Action Code doesn’t work as documented. Replication displays error when nothing to be replicated. Admin account can see all users who are dynamically mapped. Local admin can see dynamic mapped users.
The following pattern of errors is received: If name is less then 28chars – The name is accepted If name is between 28 and 34 chars – “Internal Error, Failed to locate or create record for update” message appears If name is more then 34 chars – “Name is invalid or contains illegal characters” message appears The maximum length of the name should be limited in UI.
The navigation bar button bar on the left in the HTML interface may disappear after the following sequence: 1.
Netscape prevents pressing links inside the Logging configuration. ACS install fails if installing on machine with running Remote Agent. Engine lost Interface Cfg. Change in NAF is not valid until the services are restarted. Workaround: Restart ACS services. New attributes do not replicate to remote agent.
A deleted policy is being reassign when created with the same name. An example scenario: 1. Replication of NAC policies should be updated in the doc. Also, the following information is missing from the user guide and online documentation: NAC databases are not replicated, just as any external user database configurations are not replicated, but local and external NAC policies are replicated; therefore, to ensure that replicated policies are associated with the correct NAC databases on secondary ACSs, you must take the following steps on each secondary ACS that receives replicated NAC policies: 1.
CSLog crash if a logged attribute is deleted due to replication. Replication succeeded If you encounter this problem, please call TAC for assistance. ACS on huge performance impact when writing to registry.
Unable to authenticate user, found in unknown external DB after upgrade. Using the -l option, you can reload the Cisco Secure ACS internal data from a dump file created by the -d option. Note Using the -d option requires that you stop the CSAuth service. Step 2 If the CSAuth service is running, type:. Step 3 Type:. Step 5 To resume user authentication, type:. This option replaces the existing all Cisco Secure ACS internal data with the data in the dump text file.
In effect, the -l option initializes all Cisco Secure ACS internal data before loading it from the dump text file. Dump text files are created using the -d option. While the -d option only produces dump text files that are named dump.
You can use the -p option in conjunction with the -l option to reset password-aging counters. Note Using the -l option requires that you stop the CSAuth service. Note Overwriting the database does not preserve any data; instead, after the overwrite, the database contains only what is specified in the dump text file.
Like many relational databases, the CiscoSecure user database handles the deletion of records by marking deleted records as deleted but not removing the records from the database.
Over time, your CiscoSecure user database may be substantially larger than is required by the number of users it contains. To reduce the CiscoSecure user database size, you can compact it periodically. If you do not specify the filename, CSUtil. Additionally, if you want to automate this process, consider using the -q option to suppress the confirmation prompts that otherwise appear before CSUtil.
Tip If you include the -q option in the command, CSUtil. If you do not use the -q option, CSUtil. Step 4 For each confirmation prompt that appears, type Y and press Enter. You can also update AAA client definitions. For user accounts, you can add users, change user information such as passwords, or delete users. Step 2 Create an import text file. Step 3 Copy or move the import text file to the same directory as CSUtil.
Step 5 Type:. Cisco Secure ACS is updated with the information in the import text file specified. Step 7 To restart CSRadius, follow these steps:. To start CSRadius, type:. Step 8 To restart CSTacacs, follow these steps:. To start CSTacacs, type:. The import file can contain six different line types, as discussed in following topics. The first line of the import file must be one of the tokens defined in Table D Each line of a CSUtil.
Some of the tokens are followed by values. Values, like tokens, are colon-delimited. For tokens that require values, CSUtil. Although CSUtil. ADD statements are optional. If the username already exists, no information is changed. Group number to which the user is assigned. This must be a number from 0 to , not a name. For example, the following ADD statement would create an account with the username “John”, assign it to Group 3, and specify that John should be authenticated by the CiscoSecure user database with the password “closedmondays”:.
They make changes to existing user accounts. Use a pipe between IP addresses to import devices with multiple IPs. The authentication protocol the AAA client uses. Note The valid values are listed below. Quotation marks are required due to the spaces in the protocol names.
You can use the -u option to export a list of all users in the CiscoSecure user database to a text file named users. The users. Within each group, users are listed in the order that their user accounts were created in the CiscoSecure user database.
For example, if accounts were created for Pat, Dana, and Lloyd, in that order, users. Note Using the -u option requires that you stop the CSAuth service. To export user information from the CiscoSecure user database into a text file, follow these steps:. Step 4 To resume user authentication, type:. You can use the -g option to export group configuration data, including device command sets, from the CiscoSecure user database to a text file named groups.
The groups. Note Using the -g option requires that you stop the CSAuth service. To export group information from the CiscoSecure user database to a text file, follow these steps:.
The setup. For example, the CSRadius log could contain a message similar to the following:. In this example, the error code number that you could use CSUtil. Note The hyphen – before number is required. The -c option is for use by the TAC. Its purpose is to resolve CRC cyclical redundancy check value conflicts between files manually copied into your Cisco Secure ACS directories and the values recorded in the Windows Registry.
Note Do not use the -c option unless a Cisco representative requests that you do. For more information about database replication, see CiscoSecure Database Replication. Note While CSUtil.
No users are authenticated during this process. After it is complete, CSUtil. During upgrades, the Utils directory, where CSUtil. No users are authenticated while this process is occurring. An unassigned slot is empty. Each vendor and VSA set is saved to a separate file. The subdirectory is named System UDVs.
For example, if vendor Widget occupies slot 4, the exported file created by CSUtil. Each section comprises a section header and a set of keys and values. Defines a single attribute of the VSA set. For more information, see Attribute Definition.
Defines enumerations for attributes with integer data types. For more information, see Enumeration Definition. The section header must be “[User Defined Vendor]”. Table D-8 lists valid keys for the vendor and VSA set section. The name of a VSA. For each VSA named here, the file must contain a corresponding attribute definition section.
To facilitate this, we recommend that you prefix the vendor name to each attribute name, such as “widget-encryption” for an encryption-related attribute for the vendor Widget. This also makes accounting logs easier to understand. Vendor Widget has 4 VSAs thus requiring 4 attribute definition sections :. The section header of each attribute definition section must match the attribute name defined for that attribute in the vendor and VSA set section.
Table D-8 lists the valid keys for an attribute definition section. The attribute profile defines if the attribute is used for authorization or accounting or both. At least one of the following two values must be present in the Profile key definition:. Note Several attributes can reference the same enumeration section.
For example, the following attribute definition section defines the widget-encryption VSA, which is an integer used for authorization, and for which enumerations exist in the Encryption-Types enumeration section:. Enumeration definitions enable you to associate a text-based name for each valid numeric value of an integer-type attribute. Enumeration definition sections are required only if an attribute definition section references them.
Only attributes that are integer-type attributes can reference an enumeration definition section. The section header of each enumeration definition section must match the value of an Enums key that references it. An enumeration definition section can be referenced by more than one Enums key, thus allowing for reuse of common enumeration definitions.
An enumeration definition section can have up to keys. Table D lists the valid keys for an enumeration definition section. For each valid integer value of the corresponding attribute, an enumerations section must have one key. Each key defines a string value associated with an integer value. For example, if 0 through 4 are valid integer values for a given attribute, its enumeration definition would contain the following:. For example, the following enumerations definition section defines the Encryption-Types enumeration, which associates the string value bit with the integer 0 and the string value bit with the integer The vendor Widget has 5 VSAs.
Of those attributes, 4 are for authorization and one is for accounting. Two attributes have enumerations for their valid integer values and they share the same enumeration definition section. User specification options are as follows:. Note Using the -a option restarts the CSAuth service. No users are authenticated while CSAuth is unavailable.
Cisco Secure ACS has groups, numbered from 0 zero to For example, if group 7 has 43 users and you ran CSUtil. Note Using the -g option restarts the CSAuth service. For example, if you ran CSUtil. Lists of usernames should contain one username per line with no additional spaces or other characters. Note We recommend that you use a password you devise rather than the default password.
PAC passwords can contain any character, are between four and characters long, and case sensitive. While CSUtil. If you want to use a list of users, create it now. If necessary, create a password. We recommend passwords that are long, use uppercase and lowercase letters, and include numbers. If necessary, create the directory.
Step 3 Type. You can also use the options to specify filepath and password. The PAC files are named with the username plus a “. For example, a PAC file for the username seaniemop would be seaniemop.
❿
Download cisco secure acs 3.3 for windows – User Management
Administrative session tracking assumes each browser resides on a computer with a unique IP. Also, IP filtering of proxied administrative sessions has to be based on the IP address of the proxy server rather than the IP address of the computer. This conflicts with administrative session communication that does use the actual IP address of the computer. For more information about IP filtering of administrative sessions, see Access Policy.
For these reasons, we do not recommend performing administrative sessions using a web browser that is configured to use a proxy server. Administrative sessions using a proxy-enabled web browser is not tested. In the case of firewalls that do not perform network address translation NAT , administrative sessions conducted across the firewall can require additional configuration of Cisco Secure ACS and the firewall.
We do not recommend conducting administrative sessions across a network device performing NAT. Cisco Secure ACS does not permit this. Additionally, all the ports allowed using the HTTP port allocation feature would have to be similarly mapped. We have not tested such a configuration and do not recommend implementing it.
Remote administrative sessions always require that you log in using a valid administrator name and password, as configured in the Administration Control section. If the Allow automatic local login check box is cleared on the Sessions Policy Setup page in the Administration Control section, Cisco Secure ACS requires a valid administrator name and password for administrative sessions accessed from a browser on the computer running Cisco Secure ACS.
Determine whether a supported web browser is installed on the computer you want to use to access the HTML interface. If not, install a supported web browser or use a computer that already has a supported web browser installed. The latest revision to the Release Notes is posted on Cisco.
Step 1 Open a web browser. In the Password box, type the password for the administrator name you specified. Click Login. When you are finished using the HTML interface, we recommend that you log off.
While Cisco Secure ACS can timeout unused administrative sessions, logging off prevents unauthorized access by someone using the browser after you or by unauthorized persons using the HTTP port left open to support the administrative session. Note The Logoff button appears in the upper right corner of the browser window, except on the initial page, where it appears in the upper left of the configuration area. Online help is the default content in the display area.
For every page that appears in the configuration area, there is a corresponding online help page. At the top of each online help page is a list of topics covered by that page. To jump from the top of the online help page to a particular topic, click the topic name in the list at the top of the page.
To jump to the applicable topic in an online help page, click the question mark icon. To view an applicable section of the online documentation, click the Section Information icon. If you have accessed the online documentation by clicking a Section Information icon and want to view the online help page again, click the Back to Help icon.
The user guide provides information about the configuration, operation, and concepts of Cisco Secure ACS. The information presented in the online documentation is as current as the release date of the Cisco Secure ACS version you are using.
Tip Click Section Information on any online help page to view online documentation relevant to the section of the HTML interface you are using. Step 2 If you want to select a topic from the table of contents, scroll through the table of contents and click the applicable topic.
Step 3 If you want to select a topic from the index, follow these steps:. Click [Index]. Using policies that you configure, it evaluates the credentials sent to it by the Cisco Trust Agent, determines the state of the host, and sends the AAA client ACLs that are appropriate to the host state.
By evaluating the host credentials many specific policies can be enforced, such as operating system patch level and antivirus DAT file version. Cisco Secure ACS records the results of policy evaluation for use with your monitoring system.
For example, credentials that are specific to an antivirus vendor can be forwarded to the vendor antivirus policy server. Users who access the network with a computer that has not passed machine authentication within a configurable length of time are given the authorizations of a user group that you specify and that you can configure to limit authorization as needed.
Alternatively, you can deny network access altogether. This feature introduces granular application of network-access restrictions and downloadable ACLs, both of which previously only supported the use of the same access restrictions or ACLs to all devices.
NAFs allow much more flexible network-device restriction policies to be defined, a requirement common in large environments. You can define sets of ACLs that can be applied per user or per group. This feature improves your ability to configure replication when network connections between replication partners are slow. Capitalized terms used in this SLA and not otherwise defined herein shall have the meanings assigned to them in the Software License Agreement.
To the extent that there is a conflict among any of these terms and conditions applicable to the Software, the terms and conditions in this SLA shall take precedence. By installing, downloading, accessing or otherwise using the Software, Customer agrees to be bound by the terms of this SLA.
If Customer does not agree to the terms of this SLA, Customer may not install, download or otherwise use the Software. CD’s containing tools to restore this Software to the 11XX hardware are provided to Customer for reinstallation purposes only. If the Software update and new version releases can be purchased through Cisco or a recognized partner or reseller, the Customer should purchase one Software update for each Cisco 11XX Hardware Platform. If the Customer is eligible to receive the Software update or new version release through a Cisco extended service program, the Customer should request to receive only one Software update or new version release per valid service contract.
Customer may not reproduce nor distribute software. Note Cisco sometimes updates the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco. Table 1 describes the product documentation that is available. All white papers are available on Cisco. To view them, go to the following URL:.
It discusses network topology regarding AAA, user database choices, password protocol choices, access requirements, and the capabilities of Cisco Secure ACS. This document discusses planning, design, and implementation practices for deploying Cisco Secure ACS for Windows Server in an enterprise network. It discusses network topology, user database choices, access requirements, integration of external databases, and capabilities of Cisco Secure ACS.
Table 3 describes the upgrade procedures for the Cisco Secure ACS software based on the device that you are using, the upgrade path, and whether you want to install the SNMP support feature. Table 4 describes various installation use cases that may assist you in deciding the appropriate procedure to follow.
Refer to the installation processes that are documented in the user guide and the installation guide. X for Appliance and backup your data. Then use the Recovery CD 1 to upgrade the appliance and restore the data. For 3. X for Appliance.
To upgrade to 3. You can do so at the console or in the HTML interface:. If the CSAgent service is running, enter stop csagent. Step 4 To save and restore your existing data, you must perform the following steps. If you do not want to save your data, go to Step 4 b.
To do so, use one of the two following features:. The upgrade destroys all data and installs a new image. Ensure that you have the correct version for your hardware. To save and restore the appliance data and configuration, use one of the two following feature. If you do not want to save your data, go to Step 5. You can apply upgrades by using the HTML interface or the console. Step 5 Verify that Cisco Security Agent is enabled. If the CSAgent service is not running, enter start csagent.
If not, select it and click Submit. Step 6 To see the results of this upgrade procedure, view the Appliance Upgrade page. When you complete this procedure, the Application Versions table on the Appliance Upgrade page will appear:. Please read this procedure carefully before proceeding. Step 2 Determine what versions of the following software the Cisco is running:. If you do not want to keep the database, perform the backup, but skip the restore steps Step 5 d.
To do so, use one of the following features:. This upgrade will destroy all data and install a new image. Restore the appliance data and configuration. Step 6 If either of the following conditions is true:. Step 7 If either of the following conditions is true:. Step 8 Verify that Cisco Security Agent is enabled.
Step 9 To see the results of this upgrade procedure, view the Appliance Upgrade page. Step 5 To save and restore your existing data, you must perform the following steps. If you do not want to save your data, skip to Step 6. To save and restore the appliance data and configuration, use one of the following features. Step 6 If you do not want to save your data, perform the following steps:. Step 8 Do one of the following:. Use this procedure to specify the PIX command authorization set parameters for a user.
There are four options:. To specify PIX command authorization set parameters for a user, follow these steps:. Step 3 To prevent the application of any PIX command authorization set, select or accept the default of the None option. Step 5 To assign a particular PIX command authorization set to be effective on any configured network device, follow these steps:. From the list directly below that option, select the PIX command authorization set you want applied to this user.
Step 6 To create associations that assign a particular PIX command authorization set to be effective on a particular NDG, for each association, follow these steps:. Use this procedure to specify the device-management command authorization set parameters for a user. Device-management command authorization sets support the authorization of tasks in Cisco device-management applications that are configured to use Cisco Secure ACS for authorization.
You can choose one of four options:. To specify device-management application command authorization for a user, follow these steps:. Step 3 To prevent the application of any command authorization for actions performed in the applicable device-management application, select or accept the default of the None option. Step 4 To assign command authorization for the applicable device-management application at the group level, select the As Group option.
Step 5 To assign a particular command authorization set that affects device-management application actions on any network device, follow these steps:. Select the Assign a device-management application for any network device option. Then, from the list directly below that option, select the command authorization set you want applied to this user. Step 6 To create associations that assign a particular command authorization set that affects device-management application actions on a particular NDG, for each association, follow these steps:.
Select a Device Group and an associated device-management application. Typically, you use it for router management control. From the following four options, you can select and specify the privilege level you want a user to have. Note For information about privilege levels, refer to your AAA client documentation. Note No Enable Privilege is the default setting; when setting up an new user account, it should already be selected. Step 3 If you selected Max Privilege for Any Access Server in Step 2, select the appropriate privilege level from the corresponding list.
From the Device Group list, select a device group. Note You must have already configured a device group for it to be listed. From the Privilege list, select a privilege level to associate with the selected device group. An entry appears in the table, associating the device group with a particular privilege level.
Repeat Step a through Step c for each device group you want to associate to this user. Tip To delete an entry, select the entry and then click Remove Associate. Note The list of databases displays only the databases that you have configured. For more information, see About External User Databases.
This password is used in addition to the regular authentication. Step 2 In the IETF RADIUS table, for each attribute that you need to authorize for the current user, select the check box next to the attribute and then further define the authorization for the attribute in the box or boxes next to it, as applicable. A VSA applied as an authorization to a particular user persists, even when you remove or replace the associated AAA client; however, if you have no AAA clients of this vendor type configured, the VSA settings do not appear in the user configuration interface.
Separate each attribute-value pair by pressing Enter. For example, if the current user profile corresponds to a Network Admission Control NAC client to which Cisco Secure ACS always assigns a status-query-timeout attribute value that needs to be different than a value that any applicable group profile contains, you could specify that value as follows:.
You use it to provide a different timeout values when a user must be able to connect via both wireless and wired devices. This capability to provide a second timeout value specifically for WLAN connections avoids the difficulties that would arise if you had to use a standard timeout value typically measured in hours for a WLAN connection that is typically measured in minutes.
Rather, use this setting when a user may connect via wired or wireless clients. Thus, with the Cisco-Aironet-Session-Timeout attribute configured, different session timeout values can be sent depending on whether the end-user client is a wired device or a Cisco Aironet Access Point. The recommended value is seconds. Proprietary attributes override IETF attributes.
Select the check box next to the particular attribute. Further define the authorization for that attribute in the box next to it. Continue to select and define attributes, as applicable. Step 3 In the Cisco VPN Concentrator Attribute table, to specify the attributes that should be authorized for the user, follow these steps:. Make sure that the username and password are correct. Make sure that a two-way trust for dial-in check has been established between the Cisco Secure ACS domain and the other domains.
Select the Check the following external user databases option. From the External Databases list, select the database s against which to authenticate unknown users. Click Up or Down to move the selected database into the desired position in the authentication hierarchy. Make sure that you have correctly configured Group Mapping for the applicable database.
Make sure that the tree name, context name, and container name are all specified correctly. Start with one container where users are present; then you can add more containers later, if needed. If you are successful, check on the AAA client to see if you can authenticate the shell user Telnet user.
Unable to delete user from database. This command causes the database to be unloaded and reloaded to clear up the counters. Confirm the following:. The necessary commands are listed in the following:. Create a local user in the CiscoSecure user database and test whether authentication is successful. If it is successful, the issue is that the user information is not correctly configured for authentication in Windows or Cisco Secure ACS.
For troubleshooting purposes, disable password expiry for the user in the Windows user database. And ensure that the Selected Databases list reflects the necessary database. Verify that the Windows group that the user belongs to has not been mapped to No Access. Set to Expiration: Never for troubleshooting. Review the documentation that came with your modem and verify that the modem is properly configured. Authorization rights can be modified under Group Setup or User Setup.
There is little or no effect on your business operations. S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information. If your issue is not resolved by using the recommended resources, your service request will be assigned to a Cisco TAC engineer.
S1 or S2 service requests are those in which your production network is down or severely degraded. Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. New and experienced users will benefit from these publications.
Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources.
You can access Packet at this URL:. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
You can view current offerings at this URL:. Table 1 Product Documentation Document Title. Table 2 Related Documentation Document Title. Reporting queued error: faulting application CSLog. Contacts Feedback Help Site Map. On Cisco. Configuring LDAP. Solaris Netscape 7. Logged In User not showing after going into enable mode on router. Workaround: None.
The same error logged to Event Viewer, as in the following example: Reporting queued error: faulting application CSLog. This behavior observed on Windows Server only. Log into the CiscoWorks desktop with admin privileges. Log out of CiscoWorks. Group mapping ordering applet is not properly ordered. Unable to edit some of the disabled accounts.
CSAdmin stops responding when editing java using netscape. Remote Agents entries are being deleted after restore. Action Code does not return group settings to factory defaults. Action Code doesn’t work as documented. Replication displays error when nothing to be replicated. Procedure to reproduce the problem: 1. Failed attempts report statement is not clear enough. Workaround: This problem is cosmetic.
Admin account can see all users who are dynamically mapped. Local admin can see dynamic mapped users. Need to be able to roll back previously installed older patches. The following pattern of errors is received: If name is less then 28chars – The name is accepted If name is between 28 and 34 chars – “Internal Error, Failed to locate or create record for update” message appears.
The maximum length of the name should be limited in UI. The navigation bar button bar on the left in the HTML interface may disappear after the following sequence: 1. ACS install fails if installing on machine with running Remote Agent. The integer field in that example might be not enough, depending on the particular SQl server, because of different integer interpretation like unsigned int or signed So before you use the table creation example you need to check how this particular SQL server interprets the integer field and modify the query accordingly.
The bug can occur in the following situations: 1. Attribute type was modified do to CSCee Workaround: On the NAC GUI page of the supplier configuration, an administrator can remove the problematic policy from the local policies list and thus the policy page appears without any problems. Engine lost Interface Cfg. Change in NAF is not valid until the services are restarted. Workaround: Restart ACS services. Csutil -n delete all shared components and NAC policies.
A deleted policy is being reassign when created with the same name. An example scenario: 1. Replication of NAC policies should be updated in the doc.
Also, the following information is missing from the user guide and online documentation: NAC databases are not replicated, just as any external user database configurations are not replicated, but local and external NAC policies are replicated; therefore, to ensure that replicated policies are associated with the correct NAC databases on secondary ACSs, you must take the following steps on each secondary ACS that receives replicated NAC policies: 1.
CSLog crash if a logged attribute is deleted due to replication. Replication succeeded If you encounter this problem, please call TAC for assistance. ACS on huge performance impact when writing to registry.
Other than the software products described in the Release Notes, we have not tested the interoperability of Cisco Secure ACS and other software products on the same computer. We only support interoperability issues of software products that are mentioned in the Release Notes. The most recent version of the Release Notes are posted on Cisco.
For the most recent information about tested browsers, see the Release Notes. Cisco Secure ACS uses other ports to communicate with external user databases; however, it initiates those communications rather than listening to specific ports.
For more information about ports that a particular external user database listens to, see the documentation for that database. Include the Windows Registry in the backup. During new installations, or upgrades and reinstallations that do not preserve the existing configuration, the installation requires specific information about the computer you want to install Cisco Secure ACS on and a AAA client on your network. To facilitate the installation, collect the applicable information before beginning the installation.
Note If you are upgrading or reinstalling Cisco Secure ACS and intend to keep the existing configuration and database, you do not need to perform the following procedure, which requires information already recorded in your Cisco Secure ACS installation.
To collect information that is required during the installation of Cisco Secure ACS, follow these steps:. Step 1 Determine whether the computer that you will install Cisco Secure ACS on is a domain controller or a member server. Step 3 Record the name of the AAA client. This document provides detailed procedures for installing, reinstalling, and upgrading Cisco Secure ACS. You must select the right procedure for your situation. Table 2 lists the five possible installation and upgrade scenarios.
See Table 2 to determine which procedure applies to your situation. Note Before you perform any installation or upgrade procedure, we strongly recommend that you read Preparation for Installing or Upgrading Cisco Secure ACS , and perform the applicable tasks detailed in that section.
Note If the computer does not have a required service pack installed, a dialog box appears. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, Cisco Secure ACS may not function reliably. Step 3 Do one of the following:. Step 4 Read the software license agreement.
The Before You Begin dialog box lists items that you must complete before continuing with the installation. These are the same items discussed in Gathering Answers for the Installation Questions. After completing all items listed in the Before You Begin dialog box, restart the installation.
The Choose Destination Location dialog box appears. Under Destination Folder, the installation location appears. Step 7 If you want to change the installation location, follow these steps:. Click Browse. The Choose Folder dialog box appears. The Path box contains the installation location.
Change the installation location. You can either type the new location in the Path box or use the Drives and Directories lists to select a new drive and directory. The installation location must be on a drive local to the computer. If you do so, installation may appear to continue properly but will fail before it completes. Click OK. Note If you specified a folder that does not exist, the setup program displays a dialog box to confirm the creation of the folder.
To continue, click Yes. In the Choose Destination Location dialog box, the new installation location appears under Destination Folder. The Authentication Database Configuration dialog box lists options for authenticating users. You can authenticate with the CiscoSecure user database only, or with a Windows user database also. Note After you have installed Cisco Secure ACS, you can configure authentication support for all external user database types in addition to Windows user databases.
Select the Also check the Windows User Database option.
❿