Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7265
Views
0
Helpful
13
Replies

ACS 5.5 export internal users with password

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-04-2018 07:15 AM - edited ‎02-21-2020 10:43 AM

I have a Cisco ACS 5.5 running on ADE and I am trying to export all the internal users including passwords.

 

According to Cisco: "The ACS administrators can view the internal users' passwords from internal user database."
https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/users_id_stores.html

So for ACS 5.5 I should be able to retrive the passwords in clear text. Unfortunately I could not find any documnetation on how to do that.

 

It seems that a tool called extraxi could be used, but I was not able to download it after registering for trial, and it seems it supports only ACS 3.x and 4.x.

 

I was able to extract the database using:
acs support db_export repository myrepository encryption-passphrase null include-db original
In the bundle I have a directory called database, which contains the following files:
acs.db - should be the database I am looking for
acs.log
dbcred.cal - "Database password file" according to cisco
dbkey.cfg
prikeypwd.key

 

The problem is all the above files are encrypted and I am unable to open the db file.
Does anyone have any idea what tool can be used to view the db and how to decrypt it?

4 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎12-10-2018 04:45 PM

Please check out the community discussion on the same topic.

https://community.cisco.com/t5/policy-and-access/acs-export-database-with-passwords/m-p/3758232

 

Thanks

Krishnan

View solution in original post

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to mbilgrav

‎01-09-2019 11:27 AM

ACS 5.1 is end of life and end of support 2015.

https://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eol_c51-693439.html

 

Let me clarify this, CSV's with users/passwords can be imported initially. This is to help provision the users. A good practice is to ask users change the passwords. After this the user passwords becomes sensitive information. So you cant see the password when you export, it will be empty.

 

I would suggest looking at ISE which is the next generation ACS, do a mini pilot and try the services. You will find the user interface, policies much better.

http://cs.co/acstoise

 

Thanks

Krishnan

 

 

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Sirlei Silva
Level 1
Level 1

‎12-10-2018 03:51 AM

I have a Cisco ACS 5.5 and need to migrate to cisco ISE. The user's data base are more de 700 user's. Anyone know if there is some way to perform the export internal users with password?

 


Regards,

 

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎12-10-2018 04:45 PM

Please check out the community discussion on the same topic.

https://community.cisco.com/t5/policy-and-access/acs-export-database-with-passwords/m-p/3758232

 

Thanks

Krishnan

0 Helpful

Go to solution
mbilgrav
Level 3
Level 3

‎01-07-2019 01:56 AM

Hi,

I am facing the exact same issue: I need to export usernames and passwords, in cleartext to migrate to a new system.
Did you manage to do so, and would you be able to provide a step-by-step guide ?

Thanks

0 Helpful

Go to solution
mbilgrav
Level 3
Level 3
In response to Jason Kunst

‎01-07-2019 07:46 AM

yes  indeed I did see that.

- only I dont see any solution as to how to export usernames and passwords in cleartext.

Please guide me if I am reading it wrong

I am seing a URL but no info on URL for Export users with password

Cisco forum - URL for acs export.jpg

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mbilgrav

‎01-07-2019 08:02 AM

Have you looked at the tool that exports and imports?

https://community.cisco.com/t5/security-documents/acs-to-ise-migration/ta-p/3644038
0 Helpful

Go to solution
mbilgrav
Level 3
Level 3
In response to Jason Kunst

‎01-07-2019 08:14 AM

I know about the tool, but I havent deep-dived into it, as my final destination, in this case, isnt ISE.
I need to export username/password in clear text inorder to import into a 3rd party system. (AD-LDS and then use LDAP authn from ASA VPN gateways, that otherwise used to use RADIUS via ACS and ACS internal-users)
Does the ACS-to-ISE migration tool have the option to export usernames and password in clear text ?
(I think the key here is clear text)

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to mbilgrav

‎01-08-2019 10:50 AM

Hi,

 

ACS migration tool does not support that. It exports the configuration in a secure fashion, stores it in a blob, and imports it in a secure way to ISE. This is not a tool to export and import from ACS to other system.

 

Thanks

Krishnan

 

 

 

 

 

 

0 Helpful

Go to solution
mbilgrav
Level 3
Level 3
In response to kthiruve

‎01-09-2019 06:08 AM

Thanks for reply !
Appriciate it.
Just to clarify: I need to export ACS 5.1 internal usernames and password in clear text from ACS.
can this be done and how ? (I am willing to pay the price)
0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to mbilgrav

‎01-09-2019 11:27 AM

ACS 5.1 is end of life and end of support 2015.

https://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eol_c51-693439.html

 

Let me clarify this, CSV's with users/passwords can be imported initially. This is to help provision the users. A good practice is to ask users change the passwords. After this the user passwords becomes sensitive information. So you cant see the password when you export, it will be empty.

 

I would suggest looking at ISE which is the next generation ACS, do a mini pilot and try the services. You will find the user interface, policies much better.

http://cs.co/acstoise

 

Thanks

Krishnan

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to kthiruve

‎01-09-2019 12:18 PM

Another tidbit would be stand up ISE in parallel and point it to your ACS for the accounts. Migrate the accounts over and have the users setup a new password with the new system
0 Helpful

Go to solution
mbilgrav
Level 3
Level 3
In response to kthiruve

‎01-10-2019 12:37 AM

Hi

Thanks for your reply - I am aware of the fact that ACS is EoX and ISE is the new black.
But Its just not related to this issue. However I now conclude that ACS can't export username and passwords.

 

To bad.

 

Thanks for your efforts

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-08-2019 08:57 AM

i have asked our SMEs @kthiruve to check

0 Helpful
Customers Also Viewed These Support Documents