Ok, lesson learned, never use TFTP. But why the heck it is available as the protocol option? Who wants to invite problems anyway ? Quick question though. What's the difference between OS config and ACS db. I mean what would I need to back from the OS if it is hardened Red Hat Linux and we only work with ACS application.

By ACS db I am referring to the configuration information for ACS performed from within the ACS application

It is possible to make changes to the OS config from the CLI and this is what gets backed up when OS config is backed up. It is less relevant if use the ACS GUI only

There are issues historically with tftp. The original protocol has a file size limit of 32 MB. Thjs was later extended to 4 GB. So need to also make sure that tftp servers supports larger files. I will try and ascertain status of tftp support

Aha... My backup file is only 6 MB of size. Then I wouldn't expect any size limitation for TFTP. The actual error message was about not being able to find operating system data in the backup and I did the backup using the first option via CLI (see your listing of two flavours). Does it mean there's still an underlying problem with TFTP or I'm missing something?

zheka_pefti,

>What's ADE user, Rob ?

ADE is Application Deployment Engine - which is the OS that the ACS 'application' runs on. ie. cisco have developed their flavour of linux into a hardened OS - that they then run ACS and other applications on.

When you connect to the CLI - that's ADE - so thats your 'admin' user. When you connect to the web-interface and login with 'acsadmin' - thats ACS.

So you've got:

- ADE users - eg. admin - local to the box (although there's options to refer to a TACACS server as I mentioned (but haven't tried)

- ACS Administrators - eg. acsadmin - local to ACS - but in ACS 5.4 - may be able to refer to external user directories

- ACS users - ie. users you create in ACS (we don't have any as we're using our Active Directory for all user-auths)

Same ACS/ADE split with the backups:

- ACS backup just backs up the ACS configuration. Can do scheduled backups from the GUI. Comes from the primary only

- 'backup' backs up ACS + ADE (console/ssh - and 'show run') - but only manual from CLI. If you run from the secondary - only includes ADE config

Rob...

freshly succesfully installed an ACS on a VMWare. i am having problem in accesing the web gui. a console PC residing on the same network with the ACS can ping but cannot browse throught the ACS' Web GUI. please help. do i miss out some needed configuration to have it accesible. thanks!!!

Couple quick first suggestions

login as "admin" into CLI on box and check that all services are running with the following command

show application status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

Check that all processes are running; especially management

If not issue the following commands to restart the processes and then check again

applicaiton stop acs

application start acs

ok try this out tomorrow. thanks!

Hi,

i have checked the status of the ACS but the ADE can't display any application. Output is "error finding status information for the application:acs". I am trying to start and stop the ACS via the ADE but it can't start the application. "application failed to start".

Praetoleiad,

Did you ever get your issue resolved ?

praetoleiad wrote:
Hi,
i have checked the status of the ACS but the ADE can't display any application. Output is "error finding status information for the application:acs". I am trying to start and stop the ACS via the ADE but it can't start the application. "application failed to start".

Yes. There is an issue on patch 2 as follows:

CSCtx18638     Cannot add custom shell attribute with keyword alert          

This is resolved to be resolved in patch 3 which is due to be released early next week.

Issue was introduced on patch 1 of ACS 5.3 so to work around that will need to remove all 5.3 patches

Patch 3 for ACS 5.3  has now been posted on CCO and includes a fix for

CSCtx18638     Cannot add custom shell attribute with keyword alert 

Hi,

I have already downloaded the patch, but I cannot see the release notes  - I would like to check what else has been fixed.

Does it get posted later ???

Regards

I think it is just taking time to make its way through the system

I am posting the list of CDETS below. Note there are a significant number of fixes related to interaction with active directory

- CSCtx11180    ACS sometimes fails to fetch group info for users in trusted domain

- CSCtw71563   ACS gets disconnected from AD if received duplicate A records for DC

- CSCtu15832    ACS 5.2 will not recover from an RPC failure with a domain controller                             

- CSCtx71254    ACS 5.3 disconnecting from AD "unlatch" is seen in adclient logs

- CSCty19628    Unassign Mschapv2 group retrieval failure  Duplicate of CSCtx11180

- CSCty60915    ACS 5.3 pre-authentication failures with AD for some users  

- CSCtw59129   ACS5 tries to contact domains not in trusted list based on username 

- CSCty11627    ACS5 sends MS-CHAP-MPPE-Keys attribute in all access-accept packets.                     

- CSCtx90637    ACS MSCHAPV2 is not hashing the mschap success correctly             

- CSCtx18638    Cannot add custom shell attribute with keyword alert

- CSCtx83260    NDG locations not showing up on GUI

- CSCts14694    Accounting requests seen as authentication requests

- CSCty60512    User auth fail when having Authorization rule with built-in group

- CSCtz03041    AD Agent cores management                                       

- CSCty88457    ACS support bundle does not include adclient core files            

- CSCtz03084    /opt and /var full-Large ADAgent file containing file descriptor errors      

- CSCtz03036    AD Agent cache should be flushed when core is generated                                

- CSCtz03943    ACS exposes the AD account username and password