12-08-2009 01:39 PM - last edited on 03-25-2019 05:26 PM by ciscomoderator
I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory . it's seem that in my curent version AD is not supported !
I try to do it by CLI
what CLi command I use and what patch ?
Thanks !
Solved! Go to Solution.
12-09-2009 10:14 AM
Which shell profile is being assigned to the request?
The shell profile contains a field "Maximum Privilege" which defines the maximum privelege for the session that can be setwith an enable request
You need to create a shell profile with this field set to your desired maximum value and then select as result of the authorization profile in the policy you are using. For example if this was the "Default device Admin" service this would be set at tthe following location:
"Access Policies > Access Services > Default Device Admin > Authorization"
12-08-2009 03:44 PM
there are a couple patches that need to be installed before upgrading to 5.1
1) ACS 5.0 patch 9. On CCO: 5-0-0-21-9.tar.gpg
2) ADE-OS version 1.2 /// upgrades operating system version. On CCO: ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg
Both these steps use the following command "acs patch install patch-name.tar.gpg repository repository-name "
Then can perform the upgrade to 5.1 using following command:
application upgrade application-bundle remote-repository-name
All the patches/upgrade bundles can be downloaded from CCO. 5.1 package is called "ACS_5.1.0.44.tar.gz"
More detailed documentation is at:
12-09-2009 05:00 AM
Thank you very much !
The Application upgrade successful. Now I have :
sh version
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.146
ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
There is another problem, I see the Active directory and the users of active directory can be authentified but not access to the privilege mode :
example :
I creat a user in the active directory in admin group
username : admin.ad
password: cisco123
telnet 192.168.1.1
username admin.ad
password cisco123
Router>en
password cisco123
error in aurhentification
This is my problem
12-09-2009 05:28 AM
in the monitoring and report I have this
Authentication Status : | Pass or Fail |
Date : | December 09, 2009 |
Dec 9,09 11:52:20.200 AM | 13029 Requested privilege level too high | admin.ad | switch | Device Type:All Device Types, Location:All Locations | Default Device Admin | AD1 |
Thanks !
12-09-2009 08:53 AM
Looks like you have made good progress!
Within each shell profile there are two fields: Default Privelege and Maximum Privelege. You need to check the value for the Maximum Privelege in the shell profile that was selected - can see this in the details for the monitoring report - and see it allows the level you requested.
While, I am here I realize there is one additional step for upgrade that I didn't highlight in the mail although it appears in the instructions that could be accessed from the link.
Configuration data gets upgraded automatically when upgrade to 5.1. However, monitoring and troubleshooting data gets upgraded in the background while the system is running and operational. The following steps relate to the monitoring and troubleshooting data upgrade process:
Step 5 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.
The Data Upgrade Status page appears with the following information:
•Progress—Indicates the progress of the Monitoring and Report Viewer data upgrade.
•Status—Indicates whether the Monitoring and Report Viewer data upgrade is complete or not. ACS displays the following message when the upgrade is complete:
The View database conversion is complete.
Step 6 After the data upgrade status is complete, click Switch Database.
12-09-2009 09:50 AM
Thanks !
I see it when I did the migration and I complete this step
12-09-2009 10:03 AM
I creat a group and giving the maximun privilege 15 . The user is store in Active Directory . I can authentified but not access to privilege level
exemple :
telnet 192.168.1.1
username testAD
password cisco 123
Router> en
password cisco123
Access denied
can you help me !!!
12-09-2009 10:14 AM
Which shell profile is being assigned to the request?
The shell profile contains a field "Maximum Privilege" which defines the maximum privelege for the session that can be setwith an enable request
You need to create a shell profile with this field set to your desired maximum value and then select as result of the authorization profile in the policy you are using. For example if this was the "Default device Admin" service this would be set at tthe following location:
"Access Policies > Access Services > Default Device Admin > Authorization"
12-09-2009 12:59 PM
I creat a shell profile called FULL ACCESS and the privilege level is 15 (maximun privilege level ) .And I creat a group called Active_Directory .
I creat a RULE 1 :
Access Policies--------Access Service-------------Default Device Admin--------------Autorization
Rule 1 in allgroup:Active_Directory ------ ANY ---------ANY-------------ANY------------FULL ACCESS
telnet 192.168.1.1
username: test.ad (it's the user of the admin of the domain)
password : cisco123
Router>en
password cisco123
Access denied
If it's the internal user there is no problem authentification is succefull !!
I'm very confuse I don't know what to do . In the ACS version 3 the user of active directory can authentified succefull. There is an option in this version to say that the authentification can be done with wibdows data base .
12-10-2009 11:19 AM
Thank you for your support !!! Eveythinks is ok!I Now the users of active directory can be authentified and the inrenal users depending of the access level I give .
Now I have just a question : is it possible to authentified the users of VPN by the ACS? if yes the authenfication can be done by the active directory?
Thanks you !
12-10-2009 01:42 PM
Yes. This is supported. May be best to lookupfollowing topic in online help for more details: 'VPN Remote Network Access"
12-10-2009 02:07 PM
I read in the document :
Supported Authentication Protocols
ACS 5.1 supports the following protocols for inner authentication inside the VPN tunnel:
•RADIUS/PAP
•RADIUS/CHAP
•RADIUS/MS-CHAPv1
•RADIUS/MS-CHAPv2
With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created.
But me I use Tacas + protocol in all the configuration ! do I change the configuration in the ACS if I wont to configure VPN authentification by Active Directory?
04-01-2013 04:09 PM
Hello,
Great job on this discussion Jonny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide