cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7266
Views
0
Helpful
13
Replies

ACS 5.5 export internal users with password

Bogdan Nita
VIP Alumni
VIP Alumni

I have a Cisco ACS 5.5 running on ADE and I am trying to export all the internal users including passwords.

 

According to Cisco: "The ACS administrators can view the internal users' passwords from internal user database."
https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/users_id_stores.html

So for ACS 5.5 I should be able to retrive the passwords in clear text. Unfortunately I could not find any documnetation on how to do that.

 

It seems that a tool called extraxi could be used, but I was not able to download it after registering for trial, and it seems it supports only ACS 3.x and 4.x.

 

I was able to extract the database using:
acs support db_export repository myrepository encryption-passphrase null include-db original
In the bundle I have a directory called database, which contains the following files:
acs.db - should be the database I am looking for
acs.log
dbcred.cal - "Database password file" according to cisco
dbkey.cfg
prikeypwd.key

 

The problem is all the above files are encrypted and I am unable to open the db file.
Does anyone have any idea what tool can be used to view the db and how to decrypt it?

2 Accepted Solutions

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

ACS 5.1 is end of life and end of support 2015.

https://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eol_c51-693439.html

 

Let me clarify this, CSV's with users/passwords can be imported initially. This is to help provision the users. A good practice is to ask users change the passwords. After this the user passwords becomes sensitive information. So you cant see the password when you export, it will be empty.

 

I would suggest looking at ISE which is the next generation ACS, do a mini pilot and try the services. You will find the user interface, policies much better.

http://cs.co/acstoise

 

Thanks

Krishnan

 

 

View solution in original post

13 Replies 13

Sirlei Silva
Level 1
Level 1

I have a Cisco ACS 5.5 and need to migrate to cisco ISE. The user's data base are more de 700 user's. Anyone know if there is some way to perform the export internal users with password?

 


Regards,

 

kthiruve
Cisco Employee
Cisco Employee

Please check out the community discussion on the same topic.

https://community.cisco.com/t5/policy-and-access/acs-export-database-with-passwords/m-p/3758232

 

Thanks

Krishnan

mbilgrav
Level 3
Level 3

Hi,

I am facing the exact same issue: I need to export usernames and passwords, in cleartext to migrate to a new system.
Did you manage to do so, and would you be able to provide a step-by-step guide ?

Thanks

yes  indeed I did see that.

- only I dont see any solution as to how to export usernames and passwords in cleartext.

Please guide me if I am reading it wrong

I am seing a URL but no info on URL for Export users with password

Cisco forum - URL for acs export.jpg

 

I know about the tool, but I havent deep-dived into it, as my final destination, in this case, isnt ISE.
I need to export username/password in clear text inorder to import into a 3rd party system. (AD-LDS and then use LDAP authn from ASA VPN gateways, that otherwise used to use RADIUS via ACS and ACS internal-users)
Does the ACS-to-ISE migration tool have the option to export usernames and password in clear text ?
(I think the key here is clear text)

Hi,

 

ACS migration tool does not support that. It exports the configuration in a secure fashion, stores it in a blob, and imports it in a secure way to ISE. This is not a tool to export and import from ACS to other system.

 

Thanks

Krishnan

 

 

 

 

 

 

Thanks for reply !
Appriciate it.
Just to clarify: I need to export ACS 5.1 internal usernames and password in clear text from ACS.
can this be done and how ? (I am willing to pay the price)

ACS 5.1 is end of life and end of support 2015.

https://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eol_c51-693439.html

 

Let me clarify this, CSV's with users/passwords can be imported initially. This is to help provision the users. A good practice is to ask users change the passwords. After this the user passwords becomes sensitive information. So you cant see the password when you export, it will be empty.

 

I would suggest looking at ISE which is the next generation ACS, do a mini pilot and try the services. You will find the user interface, policies much better.

http://cs.co/acstoise

 

Thanks

Krishnan

 

 

Another tidbit would be stand up ISE in parallel and point it to your ACS for the accounts. Migrate the accounts over and have the users setup a new password with the new system

Hi

Thanks for your reply - I am aware of the fact that ACS is EoX and ISE is the new black.
But Its just not related to this issue. However I now conclude that ACS can't export username and passwords.

 

To bad.

 

Thanks for your efforts

i have asked our SMEs @kthiruve to check