08-08-2012 12:38 PM - edited 03-10-2019 07:23 PM
users whose status is manually disabled don not have difficulty in authenticating and access managing nework devices. that makes me wonder what is the difference between status enabled and disabled?
Thanks,
Kerim
Solved! Go to Solution.
08-16-2012 07:39 AM
Hi tarik,
unfortunately, our VMs running acs5.3 were not thick provisioned. was informed by Cisco TAC that the VMs had to be thick provisioned and i have to re-install acs5.3. my concern is, will this affect licensing in anyway? will i be able to use the license generated originally or will have to regenerate them?
thanks,
Kerim,
08-16-2012 08:05 AM
Kerim,
If you take a backup and rebuild your virtual machines you should be able to restore with the licenses and all the application configuration. *command is acs backup
Thanks,
Tarik Admani
*Please rate helpful posts*
08-16-2012 08:06 AM
hi Tarik,
while you are at it, i want ot ask you about patching acs servers. i used "patch install" CLI command to install cumulative patch. it asks for file name and remote repository name. i gave it the patch name 5-3-0-40-3.tar.gpg and also the remote tftp user which i use for inceremental backup and for patching too. But, i keep on getting this error message % Manifest file not found in the bundle. can you help with this as usual?
thanks,
Kerim
08-16-2012 08:09 AM
The command you want to run when installing a patch is 'acs patch install...' and you need to use a ftp server, I was never able to get the patch installed using a tftp repository.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-16-2012 09:00 AM
thanks tarik!
what if i choose to no to back up abd rather use clean install. will that cause problem related to licensing?
08-16-2012 09:05 AM
If you open the license file with a text editor, do you see anything in the file that has the serial number, mac address (anything that makes it hardware specific) if not, then you can use the licenses. I am drawing a blank in the way the acs licenses are structured. ISE uses the mac address and serial number so when you create a new virtual machine you have to have the licenses rehosted.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-16-2012 01:01 PM
Hi Tarik,
I was trying to configure sftp based repository. it asks for username and password. we don't have local password configured on our sftp server. we use RSA. so although i will be able to assing user name can't assing password.. how do i go about solving this?
thanks
Kerim
08-16-2012 01:26 PM
If you are using rsa tokens (meaning one time passwords) then you can issue the following command from cli:
copy sftp://x.x.x.x disk:
That should prompt you for username and use your one time token for password.
After this you can create a repository called localdisk and point the url to disk:/
Then you can issue the acs patch install
Thanks,
Tarik Admani
*Please rate helpful posts*
08-20-2012 11:48 AM
hi Tarik,
i tried to do sftp. i just couldn't. am able to SSH to sftp server like acs/admin# ssh sftpserver user. this has worked and i see authntication log on the RSA server.But, when I do acs/admin#copy sftp://sftpserver disk:/, it prompts for user name and password and then fails with error message:
%Error: transfer failed.
08-20-2012 02:05 PM
Kerim,
Your best option at this point is to use ftp, it works like a charm.
thanks,
Tarik Admani
*Please rate helpful posts*
08-27-2012 07:10 AM
Hi Tarik,
I just can't get Radius work the way it used to in acs4.2. it is as if RADIUS is dedicated to default network access as opposed to deault network admin. even when i let RADIUS being used to default netowrk access, i was not able to associate profile-shell that allows Priv-level 15. in acs 4.2 if you are in admin group u just see the switch # prompt but in ACS5.3 if you use RADIUS you will be in switch> prompt. how do i go about solving this? the other problem I am facing is, when my two acs instances are standalone, they work fine but as soon as i make one of them secondary, the secondary can't authenticate against RSA server it just authenticates only local users. whay is that so? i believe if we can solve this am ready to go into production with 5.3.
thanks,
Kerim
08-27-2012 09:33 AM
Kerim,
I just can't get Radius work the way it used to in acs4.2. it is as if RADIUS is dedicated to default network access as opposed to deault network admin.
You are correct, the default network access template is for radius based authentication, you can not assign a shell profile since that is for tacacs.. When you create a new access-service it either uses a tacacs or radius template.
even when i let RADIUS being used to default netowrk access, i was not able to associate profile-shell that allows Priv-level 15.
Make sure that your authorization profile has the right cisco-av-pair assigned (shell:priv-lvl=15).
in acs 4.2 if you are in admin group u just see the switch # prompt but in ACS5.3 if you use RADIUS you will be in switch> prompt.
If you are passing the attribute above make sure that the command "aaa authoration exec default group radius" is configured
how do i go about solving this? the other problem I am facing is, when my two acs instances are standalone, they work fine but as soon as i make one of them secondary, the secondary can't authenticate against RSA server it just authenticates only local users. whay is that so? i believe if we can solve this am ready to go into production with 5.3.
I can not think of why this is the case right off the top of my head. Your best bet for this issue is to open a tac case to have them setup a webex and take a look. I am sure it is something simple, but webex is the fastest method because of all the different pieces that it takes to make this work.
thanks,
Tarik Admani
*Please rate helpful posts*
08-27-2012 12:24 PM
Hi Tarik,
it all worked out well. thanks much!
08-27-2012 01:35 PM
Hi Tarik,
When i thought I am done, i realized i forgot the VPN users. we are using Cisco VPN concentrater we have address pools configured on acs 4.2. i realized when i do the migration to 5.3, the address pools did not migrate. is this because 5.3 opperates differently? do i have to create the pools manually? just give me something to kickstart me.
thanks Tarik
08-27-2012 04:09 PM
Hi Mohammed,
ACS 5 does not have the feature of IP pools. Logically its always good to setup pools locally on vpn server and if you want user to pick ip from specific local pool you can configure acs to push that attribute.
On ACS Go to > Policy Elements -> Network Access -> Authorization Profiles -> Create ->
Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x
Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools
Attribute Type: String
Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)
Access Policies ->Default Network Access -> Authorization -> Create -> Under result section call the Authorization profile.
Hope that helps!
Regards,
~JG
DO rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide