have an issue with my ACS 3.3 TACACS server. All of a sudden when I add Administrators for the web interface, it does not save their privileges, such as Add/Edit users, TACACS Accounting Logs, etc. None of the check boxes stay checked. I have tried stopping and restarting the ACS services with no change. Has anyone seen this behavior?? Any help is appreciated.
ACS 3.3 is an old version and the best approach would be to upgrade to a supported version of ACS. For example 22.214.171.124 or 126.96.36.199.
Also, a possible reason when experiencing those type of issues is the JAVA Version or Browser Version. If you are using a newer version of JAVA you might start facing those type of issues.
Please try with older JAVA versions and older Web Browser Versions and verify if the issue persists.
Hope this helps.
Thanks for the response. Unfortunately I am in the middle of upgrading to ACS 5.3 and have to maintain this production server until it is completed. I have several other identical 3.3 servers that do not have this issue with the checkboxes under Administration Control, when setting up admins. I have tried with Firefox and IE6 and the same issues persists. Again I can add an admin account but it will not save any checkboxes that are enabled.
Usually those type of issues are related to JAVA as the configuration for the Privilege of the ACS Admin Accounts runs over JAVA Applets. Also, the Submit and Cancel buttons use JAVA. Are you facing issues with the buttons as well?
No. I have no issues with the buttons. I am able to function normally in all other areas using buttons, checkboxes, etc. It is just the Administrative Control section where the checkboxes do not save a\for any new accounts.
ACS 3.x and 4.x GUI issues are hard to troubleshoot. Is this an ACS for Windows? If yes, can you please go to System Configuration > Service Control > Logging Detail > Set it to Full.
At this point we need to recreate the issue a couple of times.
After recreating the issue please access the Windows Server using RDP and check the following path (or the applicable for your ACS installation): C:\Program Files\CiscoSecure ACS v4.2\CSAdmin\Logs. You might want to look for the ADMN.log which includes the GUI logging information.
Feel free to share the file with me after setting the ACS to Full Detail on logging and recreating the issue. Share an approx time to check on the logs as well.
Another development. I just tried adding several new accounts as admins. The first one behaved as the previous, would not save any checkboxes. The second account I got the following error message:
I cnanot add any more admins to the server. This is very strange and has never happened before.
I have not been able to find any restriction on the max amount of Admin Accounts for ACS 3.3. I did not find any errors on the ADMN logs either.
As the ACS 3.3 is quite old, I have seen issues with the ACS Internal Database getting locked or "corrupted" on some cases. We might want to try compressing the ACS 3.3. database. I am including the process below:
Like many relational databases, the ACS internal database marks deleted records as deleted; but does not remove the records from the database. You can clean up the ACS internal database and remove all records marked for deletion by using the following CSUtil.exe options:
•-d—Export all ACS internal data to a text file, named dump.txt.
•-n—Create an ACS internal database and index.
•-l—Load all ACS internal data from the dump.txt file.
Additionally, if you want to automate this process, consider using the -q
option to suppress the confirmation prompts that otherwise appear before CSUtil.exe
performs the -n
options. This process does not necessarily reduce the size of the database.
Note Cleaning up the ACS internal database requires that you stop the CSAuth service. While CSAuth is stopped, no users are authenticated.
To clean up the ACS internal database:
Step 1 On the computer that is running ACS, open an MS-DOS command prompt and change directories to the directory containing CSUtil.exe. For more information about the location of CSUtil.exe, see Location of CSUtil.exe and Related Files.
Step 2 If the CSAuth service is running, type:
net stop csauth
The CSAuth service stops.
Step 3 Type:
CSUtil.exe -d -n -l
Tip If you include the -q option in the command, CSUtil does not prompt you for confirmation of initializing or loading the database.
If you do not use the -q option, CSUtil.exe displays a confirmation prompt for initializing the database and then for loading the database. For more information about the effects of the -n option, see Initializing the ACS Internal Database. For more information about the effects of the -l option, see Loading the ACS Internal Database from a Dump File.
Step 4 For each confirmation prompt that appears, type Y and press Enter.
CSUtil.exe dumps all ACS internal data to dump.txt, initializes the ACS internal database, and reloads all ACS internal data from dump.txt. This process may take a few minutes.
Step 5 To resume user authentication, type:
net start csauth
Please perform the above described process and try to create the account again.
Hope this helps.
That did the trick. I ran the CSUtil and it seems to have cleaned up whatever was wrong with the database. Thanks so much for your help.