Cisco ACS Appliance 3.2.2
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Cisco ACS Appliance 3.2.2

  1. #1
    Member
    Join Date
    Jul 2004
    Posts
    60

    Cisco ACS Appliance 3.2.2

    Does anyone here have any experience with the Cisco ACS Appliance ver. 3.2.2. I am currently assigned the task of setting this one up and configureing to run TACACS+ on all the routers and switches on our network. But I'm haveing issuse with Serial Connectivity. I got it configured and had been using the HTML interface to try working with the TACACS+ part of this task, but realized I need to get back on the console to make some changes... Such as IP address. Console sessions are unresponsive I can reboot the hardware and watch the POST and other startup procedures of the appliance but never boots up to the login prompt. The html interface continued to work though. So, I tried using the recovery CD to re-image the hard drive of the appliance. I figured I had nothing to lose just had some test configs on it. Thought I could get it back to the way it was..... Still won't boot up to a login prompt and now no HTML interface because I re-imaged the HD.... Any tips pointers or experience with such issues?

    -_LeeBkr311_-

  2. #2
    Member
    Join Date
    Jul 2004
    Posts
    60
    Haven't gotten any replies... I'm assuming noone has worked with an ACS then... Well the problem seems to have resolved itself... Everytime we get that issue (Only once since my first post if we leave it alone for about 2 hours it will miraculously work... I'm going to try updating it and see if that helps... Thanks anyway though guys

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Have you contacted CISCO itself or looked for advice from the CISCO Forums? It can be hard sometimes to find help for a specific thing in a such a varied group. You might get some more luck in a more specific group like a CISCO based forum. For more check out this Google Search
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I've never worked with the device in question.

    Might I suggest turning on debugging and log it to a syslog server?

    Then you can find out exactly what is going on... whats making it go down, come up, do nothing, etc.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I've used ACS but we ran it on an NT server.
    So I have no idea how the console of this appliance works.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Member
    Join Date
    Jul 2004
    Posts
    60
    I've tried a google search and CISCO's site but I didn't think to go to the forums on their site. LoL.

    The ACS appliance is actually a 1ru box with seemingly standard pc hardware (first thing I did was slide the cover off and take a look when I got it) running a hydrid OS of Cisco IOS/Windows 2000/Windows Server 2003
    It's basically a stripped out version of Windows with an interface nearly identical to IOS
    Thanks though guys

    Oh and one other thing when I was having the problem I couldn't debug or anything like that because I couldn't bring up a connection to it. I now have it logging everything to a FTP server here on my desk. (Unit isn't being implemented yet I have a network setup in my cube with the ACS unit 2 2501 routers a Catalyst 2950 switch my FTP server and my Laptop)

  7. #7
    Member
    Join Date
    Jul 2004
    Posts
    60
    Ok I've come across a few new issues with the ACS and, I would like the opinions of those that worked with the ACS. I need to configure the clients remotely by means of telnet part way through the config I loose my connection because it then has to authorize to do further config commands but not having logged in previously I need to reconnect. When I go to reconnect it authenticates with the ACS but for some reason won't authorize (I know this from logs on the ACS) Is there a last-resort command for if it can't authenticate?? I haven't found one yet. I have made many attempts on the router but have never been able to get it working. On a test network everything worked but, I was configuring through console cable at the time. The following are the steps I take each time to setup the client (I chose to start with a router that is only a few miles away so I can go there and fix it if things go wrong but, I won't be able to do that when I'm trying to do this to routers in Leeds or Madrid or Melbourne etc. etc.):

    reload in 000:30
    config t
    aaa new-model
    tacacs-server host XX.X.XX.XX single-connection
    tacacs-server key XxXxXxXxX
    tacacs-server timeout 20
    aaa authentication login default tacacs+ enable
    aaa authentication enable default tacacs+ enable
    aaa authorization network default tacacs+
    aaa authorization exec default tacacs+
    aaa authorization config-commands
    aaa authorization commands 15 default tacacs+
    aaa accounting commands 15 default start-stop tacacs+
    aaa accounting exec default start-stop tacacs+
    aaa accounting nested
    aaa accounting connection default start-stop tacacs+
    aaa accounting network default start-stop tacacs+
    aaa accounting system default start-stop tacacs+
    aaa accounting update newinfo

    Any idea's what the problem is? Or any tips?
    Thanks ahead a time guys!
    -_LeeBkr_-

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Maybe this link will shed some light on the subject:

    http://www.cisco.com/en/US/products/...80204528.shtml
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Member
    Join Date
    Jul 2004
    Posts
    60
    The question is what would cause the ACS to authenticate the client but not authorize it when the user has full permissions to. It doesn't even let me get close to the priviledged EXEC mode. Why isn't authorizing? It can connect to the ACS I know that from the logs.... But it declines the authorization for this reason:

    08/03/2004 16:33:52 Authen OK bakerd Global 10.X.X.X tty6 10.X.X.X
    08/03/2004 16:33:52 Author failed bakerd Global 10.X.X.X .. Service denied service=shell cmd* tty6 10.X.X.X

    The user bakerd has a max enable priviledge of 15 on all NDGs and it is already setup to require authentication and authorization on login....

    Is there something I'm missing....

    The only thing I found on the link you posted was about setting up AAA on the VTY lines... Do I have to do that? When I set the ACS up on a test network I never had to change AAA settings on VTY lines.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    You should also protect your VTYs. It's no use if you've only protected your console connection and some user just telnets to your router and is allowed to enter.

    So if I understand correctly the authentication succeeds but there's no authorization to do anything?

    Authorization is controlled by the ACS server. You probably need to take a closer look at the account you've created on the ACS server.

    Another link for ya
    http://www.cisco.com/en/US/tech/tk58...094ea4.shtml#d
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •