Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About drstanic
08-10-2018
drstanic
Member since
06-07-2011
Cisco Employee
Created by
drstanic
in Security Documents
in Security Documents
10-30-2012
10:29 PM
10-30-2012
10:29 PM
The Monitoring and Reports part of ACS 5.x contains information about the incoming authentication requests (TACACS+ and RADIUS) also information about the health of each ACS node in the deployment. The Monitoring and Report Dashboard gives us a quick and easy way to get to both authentication and health information. Out of the box, the Monitoring and Reporting dashboard is populated with the “Top 5 Alarms” and “My Favourite Reports” applications (more applications can be added by clicking on the “Configure” button in the top right-hand corner of the dashboard). One of the more common alarms that appears in the “Top 5 Alarms” list is the “delete 20 000 sessions” alarm. At first glance the alarm name may give the impression that the ACS is deleting key information or perhaps that it’s unexpectedly kicking off 20 000 users. So, what does this alarm really mean? This alert is informational and is generated because the ACS View keeps track of authentication sessions. The ACS View maintains all the sessions (RADIUS/TACACS Authentication/Authorization/Accounting). It can keep only 250,000 sessions at a time. Whenever it crosses 250k, it will try to delete 20k sessions, and will send an alarm (the one that you see on the ACS Dashboard). The ACS normally keeps track of the session authentications by following accounting records ACCOUNT_START and ACCOUNT_STOP. However, if ACS View does not get ACCOUNT_STOP records, the number of sessions will not be decreased. As a result, any active sessions for which the ACS View does not receive an ACCOUNT_STOP will remain and then expire after two days. This is covered in the doc Secure Access Control System 5.x and Later FAQ.
... View more
Labels:
10-10-2012
09:55 PM
Hi John, You can enable password expiry for the users that login for the first time so that they are asked to change their password when they login for the first time. For this, you will have to enable 'Password Aging Rules' on the ACS (this is applied on a group basis). To enable Password Aging Rules: ACS > Group Setup > Select the group and click edit settings >Password Aging Rules > check the 'Apply password change rule' box This will force the user to change the password on the first log-in after an administrator has changed it. Please note that if you do not see the option 'Password Aging Rules', then you will have to enable it from: Interface Configuration > Advanced Options > Group-Level Password Aging. Just as an FYI, support for ACS 3.3 ended in 2009. Reference: EOS/EOL Notice for ACS 3.3:http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps2086/prod_end-of-life_notice0900aecd80420b67.html ACS 5.3 also allows you to force users to change their password on the next login. In ACS 5.3 this setting is located on the users's password change page. To force a user to change their passwod on next login: Users and Identity Stores > Internal Identity Stores > Users Check the box next to the relevant username Click the "Change Password" button Check the box next to "Change password on next login" Click the "Submit" button Let me know if that helps. Regards, Dragana
... View more
09-07-2011
11:41 PM
Hi Daniele, I have seen the same issue with another customer - the problem is that you're using the "root" username. Root is the username that the Linux OS uses, and by setting "root" as the username when you go through the configuration process you end up limiting the permission for the root account. This is why the ACS never starts up. Could you please re-build the VM and re-install the ACS, but time user a different username (such as the default "admin"). Let me know how you go. Best regards, Dragana
... View more
Created by
drstanic
in Policy and Access
in Policy and Access
07-26-2011
04:55 PM
07-26-2011
04:55 PM
Hi Colin, Sorry, I missed the 2nd part of your question. I read the first part and understood it as a question about how to get the ACS to authenticate a user against a particular identity store depending on what the username was appended to (eg. @example.com). As far as I know, it is not possible to strip the @example.com part before authenticating against AD. However it is possible with LDAP: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1139926 If you don't mind me asking, what is the reason behind wanting to strip off the @example.com part when authenticating against AD? Best regards, Dragana
... View more
Created by
drstanic
in Policy and Access
in Policy and Access
07-25-2011
04:32 PM
07-25-2011
04:32 PM
Hi Colin, I believe this is what you're looking for: 1. Go to Access Policies > Access Services > Defaunt Network Access > Identity 2. Click on the radio-button for "Rule based result selection" (if not already selected). 3. Click on "Customize" (bottom right-hand corner of the GUI). A pop-up window will appear allowing you to select the conditions you would like to have available when creating the identity policies 4. Move the "Compound Condition" option from the Available list to the Selected list and then click "OK". 5. Click on "Create" (bottom left-hand corner of the GUI). A window will appear allowing you to create the identity policy. 6. Give the rule a name 7. Check the box next to "Compound Condition" 8. From the "Dictionary" drop-down list select "System" 9. Click on the "Select" button next to the "Attribute" field. Another window will pop-up with a list of available attributes. Select "UserName" and then click "OK". 10. From the "Operator" drop-down list select "ends with" 11. In the "Value" field enter "@example.com". 12. Click on the "Add \/" button to add the condition to the condition set. 13. In the "Results" section of the identity policy, click on the "Select" button next to the "Identity Source" field. A window will appear allowing you to select the Identity Store that you would like to authenticate against. Select the appropriate identity store and then click "OK". 14. Click "OK" on the Identity Policy. This will add the policy to the list and will take you back to the main ACS gui. 15. Click on "Save Changes" at the bottom of the GUI to save Identity Policy you've just created. Please let me know if this helps! Best regards, Dragana
... View more
07-12-2011
03:52 PM
Based on the previous comments, it looks like we've got a few number of ACS 5 instances that are running on ESX 4.1 without any problems. Can the other posters that are seeing problems with ACS 5 and ESX4.1 please confirm that the guest operating system on the VM has been set to"Other Linux (32-bit)"? Best regards, Dragana Please rate helpful posts
... View more
07-10-2011
05:15 PM
Hi everyone, The symptoms that deyster94 described (seeing a username and password prompt at the CLI and hence not being able to get into the "setup" mode) is usually seen when the VM has been configured with the wrong guest operating system. The correct guest operating system is "Other Linux (32-bit)". Could we confirm that the correct guest operating system has been selected for the VM? If it hasn't the VM will need to be deleted and then a new one created. Changing the guest operatins system on an existing VM often doesn't work (hence deleting and recreating is required). However, having said that, 3.5 or 4.0 are the officially supported versions of ESX. It doesn't mean that 4.1 can't be used but rather that the stability can't be guaranteed. Best regards, Dragana
... View more
06-23-2011
03:53 PM
Hi Angus, I believe that this is the information you are looking for: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1138165 The link above is from the "Managing Users and Identity Stores" section of the "User Guide for the Cisco Secure Access Control System 5.2". The full user guide is available here: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html Let me know if you have any further questions on this. Regards, Dragana
... View more
Created by
drstanic
in Security Documents
10-30-2012 10:29 PM
10-30-2012 10:29 PM
The Monitoring and Reports part of ACS 5.x contains information about
the incoming authentication re...
10-10-2012 09:55 PM
Hi John,You can enable password expiry for the users that login for the
first time so that they are ...
09-07-2011 11:41 PM
Hi Daniele,I have seen the same issue with another customer - the
problem is that you're using the "...
Created by
drstanic
in Policy and Access
07-26-2011 04:55 PM
07-26-2011 04:55 PM
Hi Colin,Sorry, I missed the 2nd part of your question. I read the first
part and understood it as a...
Created by
drstanic
in Policy and Access
07-25-2011 04:32 PM
07-25-2011 04:32 PM
Hi Colin,I believe this is what you're looking for:1. Go to Access
Policies > Access Services > Defa...
07-12-2011 03:52 PM
Based on the previous comments, it looks like we've got a few number of
ACS 5 instances that are run...
07-10-2011 05:15 PM
Hi everyone,The symptoms that deyster94 described (seeing a username and
password prompt at the CLI ...
Public Statistics
| Date Registered | 06-07-2011 03:04 PM |
| Date Last Visited | 08-10-2018 12:04 AM |
| Total Messages Posted | 7 |
