Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address issues with the ACS database with Cisco expert Srinivas Mallu. Srinivas is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). Srinivas has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies
Remember to use the rating system to let Srinivas know if you have received an adequate response.
Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
I just build an ACS server and before I saved everyting, I moved the cable.
It seems that the ACS server reflects it self IP as the 127.0.0.1.
The answers I got from Cisco support is pretty lenghthy process to fix it.
Is there a quicker way to get it fixed with it real IP?
I don't want to export and send the file anywhere. The version of ACS appliance is 4.2.
Thanks for your help
Is this the solution that you mentioned?
In order to resolve the 127.0.0.1 self problem, you can restore the DMP files on ACS for Windows 4.2 and modify the entry 127.0.0.1 with the desired IP address.
Something else to confirm is if during the installation of the ACS it was connected to the network using the bottom NIC.
Plug the network connection into the Ethernet 0 port (NIC 1)
For the Windows Version:
Cisco Secure Access Control Server 90-day Evaluation Software
Note: To set or change the IP address of your ACS SE, ACS SE must be connected to a working Ethernet connection.
This is a known issue with the ACS Appliance. There is no easy way to do this. The IP address of ACS solution engine cannot be changed from the GUI.
This is a lengthy procedure, but this is what you have to do.
a) Restore the ACS SE database to ACS for Windows.
b) You'll see the server name with IP address 127.0.0.1.
c) change that to whatever IP address you like it to be. Save it.
d) Restore the database to ACS Solution Engine.
e) Now, you can change the IP address of the server also on the ACS Solution Engine because it is not default AAA server.
Hope this helps!
For future purposes, one thing you can do to avoid this problem, is to connect the NIC card to the network, so that it pulls an IP address from the DHCP server, so that it does not assign the loopback IP address.
We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
3) How many types of events will be generated by this IPS 4240 sensor.
4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
5) Can you provide me some Examples to generate different events.
6) What is the difference between CLI, IDM and IME?
7) How we can know that configured IPS system is in Inline mode?
This forum is dedicated for Cisco Secure ACS related questions.
Here are some resources on this subject;
Is it possible to add groups to ACS? By default there are 500 groups, but no choice in GUI to add groups.
The answer is No. Currently, there is no way to add more groups than the default number. Is there a reason why you want more than that? You can open a TAC case, and have an enhancement request filed for the same, if this is a need for your business.
Just wanted to know that can i get CS ACS 4.2 by TAC or Cisco Web Site because it is available now by Cisco & we just got the upgrade CD of ACS?
My old Version was 3.3.2 Build 2
My Upgraded Version 4.1.1 Build 24 &
4.1.4 Build 13
Kindly update me asap.
Its available on Cisco.com site. If for some reason, you are not able to download it, open a TAC case, and the engineer can make it available for you as a download link.
I try upgrad "ACS" , but i dont have the disk.
The upgrade path is 3.3.3-> 3.3.4-> 4.1.23-> 4.2
The 3.3.4 patch dont are in download area, only the patch 22.214.171.124.8, but ACS 3.3.4 must be installed before installing this patch.
Where can download the necesary disk for ACS 4.1 for Windows and ACS 4.2.
If the image you are looking for, is not on Cisco.com site, its probably archived.
Please open a TAC case, and the engineer can post the download link for you.
We are having trouble with ACS 4.0 where CSATUH and CSRADIUS services peak up to the memory usage and the authentication for RADIUS and TACACS get stuck. Apprently a memory leakage issue, which gets resolved for the time being by restarting all CSAUTH service. We atleast restart the service atleast three times a working week.
TAC engineer asked us to upgrade to 4.2 to avoid this, but our intgeration is done with IBM's Tivoli which does not have pluggin for ACS 4.2 , but 4.0 . And hence we cannot upgrade to 4.2 until IBM gives the pluggin for it. What could be the workaround on 4.0?
There are no more fixes coming out 4.0, let alone 4.2. The development team is done with all development with 4.x code, and any new fixes for any new issues will be addressed in 5.x or as a patch in 4.2 code and above.
The memory leak issue has been addressed with a patch in 4.1 and 4.2. There is nothing available in 4.0. There is no workaround available in 4.0, as its a code fix. Can IBM work on a pluggin for ACS 4.2 for you? That pretty much seems to be the only option here.
I'm wondering if it is possible to create an External Database Group Mapping via command line? I have hundreds of AD-to-ACS group mappings that I need to do, but it's very time consuming to do them one-at-a-time via the web interface. I'm running 4.1(4) Please let me know if this is possible.
This is not supported. Infact, this feature is not even in the pipeline. If, this something you are interested in, please open a TAC case, and have an enhancement request opened for ACS 5.0, as most of the development for 4.x is already done.
I am running cisco VPN Client 5.0 on a Windows XP and I am getting error 442 failed to enable virtual adapter. How can I fix this. I tried uninstalling the adapter and reinstalling but did not fix it.
We have seen this issue with Windows XP and Windows Vista in the field, although we could not reproduce it in the lab.
With Windows Vista, it has been determined that the cause is related to DAD "duplicate address detection". This is a known issue in the field. Is the windows XP complaining about a duplicate ip address? It has been determined that it has nothing to do with the Persistent, Active or registry store for the IP information.
Please try this workaround.
Open "Network and Sharing Center", then select "Manage Network Connections", Enable the Virtual Adapter "VA", then right click on the VA and select "diagnose" from the context menu and after that select, "Reset the network adapter "Local Area Connection X"
This sounds like a bug in the VPN Client code. Its documented in CSCsi26106. This is fixed in 005.000(003.560)
One of our customer has been able to resolve this problem windows XP by uninstalling the Microsoft Network Monitor. Try this as well and see if it fixes the problem.
Hope this helps!
Can you give me brief idea how to configure the wireless access point with dot1x(PEAP) with cisco ACS as Radius server.
Also how to configure the backup for Primary ACS server.I am using the windows database.Can we use redundancy for this database too.
Please go through these docs;
Enabling MAC-Based Authentication on the Access Point
Yes. You can setup upto servers for backup authentication.
Enabling MAC-Based Authentication in Cisco Secure ACS
Hope this helps!
I am having issue with Cisco IDSM-2 module in Cisco 6509 module.It's having 6.1(2)E3 version and it's showing 100% cpu-1 utilization & 100 inspection load continuously.
Please help me to resolve this issue.
This discussion is limited to Cisco Secure ACS. Please submit your question in the IDS forum.
I'm trying to get dot1x authentication working with our Nortel 1140e IP phones, but have been unsuccesful so far. I'm hoping either yourself or other Netpro community members will be able to help me.
My environment consist of the following
Nortel 1140e IP Phone (firmware 0624C6J)
Cisco ACS 4.1(4)
Catalyst 4510R (IOS 12.2.50 SG)
I have the Nortel phone configure for PEAP authentication, with a self-signed cert from the ACS server instaled, and using a local ACS username and password.
However, authentication fails with the following error messages below, from the ACS server. I'm still wating to hear back from Nortel on this issue, but was wondering if anyone else might have had this issue and resolved it already.
Authen session timed out: Challenge not provided by client
EAP-TLS or PEAP authentication failed during SSL handshake
From the failed attempts message it sounds like a config issue on the Nortel router. I have searched the knowledge base for any issue on ACS with Nortel, and I haven't found any.
I suggest you open a TAC case with Nortel and go from there. From the logs, it seems like the ACS is not receiving information its needing. Does the authentication work with other AAA servers?
I actually do have an open case with the Cisco TAC on this, and the next step for us into get Nortel involved as well. I was just hoping that you or someone else may have run into this issue and had a solution. But that doesnt seem to be the case, so I will wait to get both Cisco and Nortel on the phone so they can have a civil discussion regarding this issue.
Thanks for your help.
- Self-signed Certificate Setup (only if you do not use an external CA)
If you use a Self-signed Certificate from Cisco Secure ACS
Complete these steps:
1. Copy the certificate from its location to the client.
2. Right-click the .cer file and click install certificate.
I suppose you cannot do that on the Nortel Phone can you?
- Set up the Client for PEAP
Note: The same Root Certificate should be installed on the ACS and the Phone.
We do have a external CA, but our security group wont let us install that certificate on a device that cant be secured.... but thats a whole other story.
As far as installing the self-signed ACS certificate, you can, and we have installed it on the Nortel IP phone.
If anyone thinks it would help, I can post the Radius debug information of the dot1x authentication failure.
Are you also able to remove the Validate Server Certificate option from your Nortel Phone?
Are you able to authenticate a PC with PEAP using the same Certificate?
This will discard that the Certificate is causing an issue...