This document answers some frequently asked questions about Cisco
Secure Access Control Server (ACS) for Windows.
Does the 64-bit operating system work with ACS products?
A. Yes. ACS 4.2.1 provides 64-bit Windows support for ACS Windows and ACS
remote agent. ACS versions prior to 4.2.1 does not support the 64-bit operating
Is the authorization command supported in ACS Express?
A. No. The authorization command is available only with ACS (not with ACS
Does the VMWare ESX Server support Windows ACS 4.1 and 4.2?
A. ACS 4.1 and 4.2 have been tested on the VMWare ESX server with this
VMWare ESX Server 3.0.0
16 GB of RAM
AMD Opteron Dual Core processor
300 GB hard drive
Four virtual machines
Windows 2003 Standard Edition
3 GB of RAM for the guest operating
When was Point-to-Point Tunneling Protocol (PPTP) with Microsoft
Point-to-Point Encryption (MPPE) keying support added to Cisco Secure ACS for
A. PPTP version 2.6 requires Microsoft Challenge Handshake Authentication
Protocol (MS-CHAP) authentication if MPPE keying (encryption) is to be done. In
earlier versions, PPTP authentication is possible. However, support for MPPE
keying was not added until ACS version 2.6.
Does ACS support Microsoft Challenge Handshake Authentication Protocol
A. ACS presently supports MS-CHAP version 1. ACS versions 3.0 and later
support MS-CHAP versions 1 and 2.
Is it possible to use ACS Radius in order to configure authentication for
the Cisco VPN Client?
A. Yes. It is possible to use Radius on ACS version 5.2 in order to
configure authentication for the Cisco VPN Client. ACS version 5.0 does not
support the use of Radius to configure authentication for the Cisco VPN
Can Security Dynamics International (SDI) and ACS be installed on the
A. Yes, an ACS and the SDIs Access Control Entry (ACE) server can be run
on the same machine. There is also a client-server arrangement with an ACS and
ACE Client on one machine and the ACE server on another.
What are the differences between Password Authentication Protocol (PAP)
and Challenge Handshake Authentication Protocol (CHAP)? Why is CHAP unable to
be used with the NT database?
A. PAP sends passwords in the clear between the user and the TACACS+ or
RADIUS client or device. If the password is correct, the authentication is
acknowledged. Otherwise, the connection is terminated.
CHAP sends a challenge message to the remote user. The remote user
responds with a value that calculates with the use of a one-way hash function.
The client or device checks the response against its own calculation of the
expected hash value. If the values match, the authentication is acknowledged.
Otherwise, the connection is terminated. Passwords are not sent in the clear.
CHAP cannot be used with the NT database because of the CHAP
requirement. It states:
"CHAP requires that the secret be available in plaintext form.
Irreversibly encrypted password databases commonly available cannot be
This generally precludes the use of the NT database for CHAP, with
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) as an
Microsoft offers a hotfix that can provide a workaround for Microsoft
Windows NT user databases. It allows user passwords to be saved in plain text
format. For additional information, refer to CHAP
IAS (NT4.0 RADIUS Server) Authentication to Windows NT4.0 Domain
Does ACS act like a proxy server to other
A. Yes, ACS receives authentication requests from the network access
servers (NASes) and forwards them to other servers. You need to define the
other servers. In order to do this, select Network Configuration >
AAA Servers on the source. The source server is defined as a TACACS+
or RADIUS NAS on the target. Once those are defined, configure the Distributed
System Settings in the source Network Configuration in order to define the
Is there a limit on the number of network access servers that are
supported by ACS?
A. There is no limit because it is a function of how much the Windows NT
registry supports. This is estimated to be thousands of servers. NAS
information is not stored in the database. It is stored in the registry.
Therefore, when you issue the csutil -d command,
you do not back up any NAS information.
Where is the user information in ACS stored?
A. ACS has its own proprietary database. It is stored in multiple files.
Is domain stripping supported with ACS?
A. Yes. ACS does support domain stripping. This is useful when there is a
combination of Virtual Private Dialup Network (VPDN) and non-VPDN users.
Another use for domain stripping is when the external NT database is
used for authentication. The first time the users log in, the user name is
autopopulated in ACS. Since a user probably comes in as DOMAIN_A\user or as
user, names can appear in ACS as "DOMAIN_A\user" or as "user." This results in
both entries in the database. The duplicate entries can be avoided with the use
of domain stripping. This is where the prefix domain with the delimiter \ can
be erased in order to have a consistent database. In order to set this up,
select Network Configuration > Proxy Distribution Table.
What is relational database management system (RDBMS)
A. ACS supports RDBMS databases, such as Oracle, in order to synchronize
the database between two systems that use any RDBMS.
How is the the CRYPTOCard software handled in ACS version 3.0 and later?
A. In ACS versions 3.0 and later, the CRYPTOAdmin server component is
removed from ACS. Any future licenses, free or otherwise, must be obtained
directly from CRYPTOCard.
Is DHCP relay supported on the ACS?
A. No. DHCP relay is not supported on the ACS.
Can I change the hostname of the ACS server running on
A. No. It is not possible to change the hostname of the ACS server running
on Windows. The ACS is designed by default to take the Windows server name as
Is ACS supported on Windows 2008 server
A. Yes. ACS is supported on Windows Server 2008, and is available from ACS
4.2 Patch 4 and later. Refer to the
and Active Directory 2008 Supported Scenarios section in
Notes for Cisco Secure ACS 4.2 for more information.
Is SNMP supported on ACS for Windows?
A. No. SNMP is supported only on the ACS appliance. Refer to the
Support section of the
Interoperable Devices and Software Tables for Cisco Secure ACS Release
Is IPv6 supported on ACS?
A. No. IPv6 is not supported on ACS.
Is the PEAP-TLS feature supported on ACS?
A. No. PEAP-TLS is not supported on ACS.
TACACS+ and Radius Related Issues
Does ACS have any RADIUS support?
A. The degree of RADIUS support depends on the version of ACS. Request For
Comments (RFCs) 2138
always supported, as are Cisco IOS® Software
vendor-specific attributes (VSAs). For a list of RADIUS support in a particular
version, select Network Configuration > Network Device Groups >
AAA Clients Area.
Is ACS able to do translation proxy between RADIUS and TACACS+ and the
A. ACS proxies from RADIUS-to-RADIUS or from TACACS+-to-TACACS+, but it
cannot proxy between dissimilar protocols.
How do I assign Domain Naming System (DNS) and Windows Internet Naming
Service (WINS) server IP addresses for PPP connections from ACS using TACACS+?
A. You are able to specify DNS and WINS server IP addresses from the ACS
on a per-user basis or for a group of users with the addition of these lines as
custom attributes of PPP IP in the group setup.
dns-servers = 10.1.1.1 10.1.1.3
wins-servers = 10.1.1.5 10.1.1.16
How do I assign Domain Naming System (DNS) and Windows Internet Naming
Service (WINS) server IP addresses for PPP connections from ACS using RADIUS?
A. You are able to specify DNS and WINS server IP addresses from the ACS
on a per-user basis or for a group of users with the addition of these lines
under Cisco RADIUS Attributes and AV-pair in group setup.
How do you change the port in which the RADIUS server listens in the
A. Since version 2.5, ACS listens on RADIUS ports User Datagram Protocol
(UDP) 1645 and UDP 1812 for authentication and on ports 1646 and 1813 for
If you use an older version, change the listening ports. In order to do
this, re-edit the attribute values of the proper key in the Windows Registry:
This can also be changed in the newer version:
AccountingPort = 1646
AccountingPortNew = 1813
AuthenticationPort = 1645
AuthenticationPortNew = 1812
Can I change the default port for TACACS+ to a value other than TCP 49?
A. Change the default value of the port for TACACS+ services. In order to
do this, edit the attribute values of the proper key in the Windows
I do not want the administrative overhead of having to list all the
network access servers (NASes) in my network, and they all have the same
tacacs-server keys. How do I set up a default key to use with my NASes?
A. Add a default NAS in the NAS configuration area by leaving the host
name and IP address blank. Enter only the key. Click Submit.
You then see NAS others and
Note: This procedure only works for TACACS+, and not RADIUS.
I want to have a device "speak" both TACACS+ and RADIUS with ACS for
authentication. I want one for dial and the other for router management. How
can I do this?
A. Configure a default network access server (NAS) as described in the
previous question for TACACS+, and then enumerate
the NAS for RADIUS. The NAS sends RADIUS dial requests to ACS on the RADIUS
port if the aaa authentication ppp default if-needed
RADIUS command is issued.
The NAS sends TACACS+ Router Management requests to ACS on the TACACS+
port if the aaa authentication login default TACACS+
command is issued.
Authentication Related Issues
What do I need to check when users are unable to authenticate against the
A. Complete these steps in order to troubleshoot the
Check to see if you can authenticate the user on the local domain.
In order to ensure this, select Start > Shutdown > Close all
programs and log on as a different user. If you cannot authenticate
the user on the local domain, ACS does not work.
If you have checked verify grant dialin permission for the
users in the Cisco Secure database configuration, check to see if
dialin permission is granted for this user in the NT database.
If this is a dial connection, make sure that Password
Authentication Protocol (PAP) or Microsoft Challenge Handshake Authentication
Protocol (MS-CHAP) (not CHAP) is configured on the router and
What do I need to check when users are unable to authenticate against the
Novell Directory Server (NDS) database?
A. Check to see if the tree name, context name, and container name are all
specified correctly. Start with one container where users are present. You can
add more containers later.
If you are successful, check the NAS in order to see if you are able to
authenticate the shell user (Telnet user). Also ensure that for PPP you have
Password Authentication Protocol (PAP) authentication configured on the
How can I troubleshoot a Security Dynamics International (SDI)
A. Complete these steps in order to troubleshoot an SDI authentication
Authenticate the user with the Access Control Entry (ACE) test
If this works, confirm that the card is synchronized with the
database. Ensure you use Data Encryption Standard (DES) encryption on the SDI
server when the card is initialized. A choice of SDI does not
Bring up the activity monitor on the ACE server while you attempt
Telnet authentication to a device.
Check to see if there are any errors on the activity monitor on the
If the ACE server works, but there is a problem with the dial
users, check the settings on the network access servers (NAS) in order to
ensure that Password Authentication Protocol (PAP) is configured. Then try to
connect as a non-SDI user.
If this works, connection as an SDI user is expected to work. Enter
the user name in the user name tab and the passcode in the password tab on
If the client from where you dial is configured to bring up the
post terminal screen after you dial, ensure you issue this authentication,
authorization, and accounting (AAA) command on the NAS:
The key is to use if-needed. This means
that the user is already authenticated by issuing this AAA command:
aaa authentication ppp default if-needed
Then you do not have to authenticate the user again when you do
PPP. This also applies when you use the normal PAP password.
aaa authentication login default
My ACS authentication does not work for multilink services. What do I
need to do?
A. Select Interface Configuration > Tacacs+ (Cisco) > Add
New Service. Assign ppp as the service and
multilink as the protocol.
Note: PPP and multilink are all lower case.
What is the CRYPTOAdmin Authentication Server license policy for Cisco
A. A full description of the license terms and conditions and future
upgrades are obtained by sending an E-mail to email@example.com, the product
code to use as a reference is CA5.1SC. A CRYPTOAdmin Server software evaluation
package, that includes a time-limited license and software tokens, are obtained
from CRYPTOCard's Download
When I turn on enable authentication in the switch or router with
commands such as aaa authentication enable default tacacs+
or set authentication login tacacs enable telnet
primary, I am locked out of enable mode and receive the
Error in authentication error message on the
router. What do I need to do?
A. Check the failed attempts log in the ACS. If the log says
CS password invalid, it can be that there has
not been a special enable password set up for the user. This is required when
you configure enable authentication. If you do not see Advanced TACACS+
Settings in the user options, select Interface Configuration
> Advanced Configuration Options > Advanced TACACS+ Features and
select that option in order to get the TACACS+ settings to appear in the user
settings. Then select Max privilege for any AAA Client (this
is usually 15) and enter the TACACS+ Enable Password that you
want the user to have for enable.
How do I determine what the 'Authen failed' message type
A. Note the date and time of the message, go to the CSAuth log file, and
search on the date and time. A more detailed explanation of the message is then
The user is unable to authenticate against sub-domain using ACS Express.
Why does this occur?
A. This issue occurs when the user does not provide a domain name. If the
domain name is not provided, ACS Express attemps to append the domain name of
the domain that the ACS Express is joined. If a user resides in a sub-domain,
and the ACS Express is joined to a parent domain, then the user needs to
provide a fully qualified domain name in the user name authentication.
Does ACS support QoS in authentication so that RADIUS can be prioritized
A. No. ACS does not support QoS in authentication. ACS will not prioritize
RADIUS authentication requests over TACACS or TACACS requests over
Accounting Related Issues
ACS accounting displays the message NAS
reset. What can cause this message to
A. The NAS reset messages can be caused by
a reboot of the device or by issuing the tacacs-server host
#.#.#.# single-connection command on the Cisco IOS Software. If
the device does not reboot, issue the tacacs-server host
#.#.#.# command in order to change the configuration to eliminate
Can I send accounting information to another system and also have a copy
on the local system?
A. Yes. Choose System Configuration > Logging in order
to configure this option.
Does Cisco recommend a software application that can be used to do
reporting on accounting logs available in ACS?
A. The ACS accounting logs are recorded in one of two formats:
CSV files—The comma-separated value (CSV) format
records data in columns separated by commas. This format is easily imported
into a variety of third-party applications, such as Microsoft Excel or
Microsoft Access. After data from a CSV file is imported into such
applications, prepare charts or perform queries, such as to determine how many
hours a user is logged in to the network during a given
ODBC-compliant database tables—Open database
connectivity (ODBC) logging allows you to configure ACS to log directly into an
ODBC-compliant relational database, where information is stored in tables, one
table per log. After the data is exported to the relational database, use the
data in any way you need.
With either method, software used to parse logs is widely available.
However, Cisco does not recommend a particular vendor.
Does ACS Accounting information (any change occurs) parse to the
Monitoring, Analysis, and Response System (MARS)?
A. Unfortunately, the current support in MARS does not have parsing
capability for anything other than Failed Attempts, Passed Authentications, and
RADIUS Accounting logs.
In ACS 5.0, ACS View will be the vehicle for ACS monitoring and
reporting, more than MARS.
Backup Related Issues
How do I back up ACS?
A. You can back up ACS through the GUI with the help of the System
Configuration tab, or use the command-line interface (CLI). If you use the GUI,
there is a backup of the users, groups, and registry settings. If you use the
CLI, issue these commands:
For a dump of users and groups:
For a backup of users, groups, and registry settings:
For more information on how to perform an ACS backup, refer to
How to backup the
Cisco Secure ACS for Windows database.
Can I use the backup utility on one ACS and then restore the information
on another server?
A. No. The backup utility is intended to save the user, group, and
registry information from one ACS box and restore it to the same ACS box that
runs the same version of software. If there is a need to clone an ACS box,
replication is available instead.
If you need to copy only users and groups from one server to another,
issue the csutil -d command. The new dump text
(.txt) file is then copied to the target box. After this, issue the
csutil -n -l command in order to initialize the
database and import the users and groups.
I get the CSBackupRestore(OUT) cannot save reg key
error message when I try to backup the data on ACS. Why does
this error occur?
A. This error occurs when the disk on which the ACS is installed is
completely full or write protected. Make sure that there is enough free disk
space and it is not write protected so that the error does not occur again.
Password Related Issues
With Cisco Secure you can force the users to change their passwords after
a given time period. Are you able to do this when you use the Windows NT
database for authentication?
A. This feature is available in all versions, when you use the Cisco
Secure database for authentication. Versions 3.0 and later offer support of
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Version 2 and
MS-CHAP Password Aging. This works with the Microsoft Dial-Up Networking
client, the Cisco VPN Client (versions 3.0 and later), and any desktop client
that supports MS-CHAP. This feature prompts you to change your password after a
login where the password has expired. The MS-CHAP-based password-aging feature
supports users who authenticate with a Windows user database and is offered in
addition to password aging supported by the Cisco Secure user database. This
feature is added in ACS 3.0, but it also requires device or client support.
Cisco Systems is gradually adding such device or client support to various
How do users change their own passwords?
A. Users are notified of when Cisco Secure database passwords expires on
dial connections if the Cisco Secure Authentication Agent is on the PC. Once
the users are in the network, they use User Changeable Password software, which
runs with Microsoft IIS. When the users are on the network, they aim their
browsers to the system where User Control Point (UCP) is installed and change
What encryption algorithm is used to store ACS passwords?
A. Passwords are encrypted with the help of the Crypto API Microsoft Base
Cryptographic Provider version 1.0, using the RC2 algorithm and a 40-bit key.
For further information, refer to
Databases - About the Cisco Secure User Database.
Default settings allow users to change their own passwords by connecting
to the router via Telnet. How do I disable this option?
A. In order to prevent users from changing their passwords through Telnet,
complete these steps.
Back up the local registry.
Go to registry key
Highlight CSTacacs. Then right-click and select
NEW-DWORD in order to add a registry value.
When the new key appears on the right-hand side of the window, type
disablechangepassword into the new key
The default value for the new key is 0. This allows users to change
the password. Right-click on the new key and select Modify.
Then change the key value to 1 in order to disable the ability
to change the password.
After you add this new key, restart the CSTacacs and CSAuth
TACACS+ Password Aging Rule does not work
with SSH when Apply password change rule is set.
How do I deal with this?
A. Use telnet for authentication.
TACACS+ user password changes, for example before expiry, during login
do not work with SSH. Problem pertains to TACACS+ AAA server and SSH in order
to establish session. This does not hold for RADIUS or telnet sessions.
TACACS+ provides a feature where if a blank password is supplied to the
AAA server it triggers a password change sequence. For example, requests for
old password are followed by new password. This depends upon success or failure
and whether the new password is accepted or rejected.
Use telnet if password needs to be changed before expiry. For expired
passwords SSH behavior is fine as it triggers a password change sequence then.
When telnetting to a router a user can just hit enter at the Password:
prompt in order to initiate the change password sequence. The user can also be
notified if their password is expiring or has expired. This feature does not
work when you connect to the router through SSH.
How do I recover the password for the Cisco Secure ACS
A. For the step-by-step procedure to recover the password for the Cisco
Secure ACS Server, refer to
Recovery Procedure for the Cisco Secure ACS Solution Engine which
explains the recovery process in detail.
Remote Agent Issues
Sometimes the timeout occurs during the attempt of communication to the
remote agent. Why?
A. Make sure that the software version on the ACS server and the remote
agent must be the same. For example, if your ACS SE runs software version 4.1,
then you must use the remote agent version 4.1 in the AD. If the software
versions are not the same, the configuration will not work and you might
receive this error message: External DB user invalid or bad password.
How do I remove or delete the remote agents in the
A. Complete these steps in order to remove or delete the remote agents in
Go to Services in the Windows server and stop the
service of the ACS Agent.
Go to the ACS and stop the login services. Choose System
Configuration > login > Remote Login setup and select Do
not log Remotely.
Try to remove the remote agent. Refer to
a Remote Agent Configuration for more information on deleting a remote
When remote agents are added to the ACS, this error occurs:
Failed to commit all Fields. How can I resolve
A. The Failed to commit all Fields error
message often occurs when a patch is not installed correctly or is corrupted.
Re-imaging the ACS and restoring the configuration resolves the error.
If replication fails, what things do I need to look
A. From the command line, issue the net
stopcsauth command in order to stop the service on each server.
Then issue the csauth -z -p command in order to run
both the source and the target in debug, and look for messages in the window.
The output also goes into the $BASE\CSAuth\Logs\auth.log file. Often one or
more of the authentication, authorization, and accounting (AAA) servers is
misconfigured. Therefore, look for messages on the target that report requests
from illegal or unknown hosts. If the source has several network adapters, then
it causes the target to see the wrong IP address and reject the source as
I use ACS with servers in geographically dispersed areas, and services
are disrupted when I replicate. How do I deal with this?
A. Ensure that the authenticating devices are configured for failover. In
other words, ensure there are at least two servers defined in order to provide
backup if one server is unreachable. (This is a good idea whether replication
is involved or not.) For example, if the arrangement has one ACS in the U.S.
that replicates to a second ACS in Australia, configuring the authenticating
devices to try the U.S. then Australia is probably not the best plan. Install a
second local server (in the U.S.) and replicate it from the U.S. master to the
U.S. slave. The U.S. slave then replicates to the Australia slave.
Are the logs transferred in native ACS format or do/can they get
converted to syslog?
A. No, they are native syslog.
How do you generate a log file on a daily basis on Cisco Secure ACS SE?
A. For each CSV log, Cisco Secure ACS writes a separate log file. When a
log file reaches 10 MB in size, Cisco Secure ACS starts a new log file. Cisco
Secure ACS retains the most recent 7 log files for each CSV log. For more
information on generating a log, refer to
or Disabling a CSV Log.
How do I correct the 'User Access
A. Either disable Network Access Restrictions (NAR) or completely
configure it for use.
When I set up authentication, I receive the Chpass is
currently disabled. error when I try to authenticate. How do I
resolve this issue?
A. The user account password must be set to change on
login. In order to change the password, select System
Configuration > Local Password Management > Disable TELNET Change
Password against this ACS and return the following message to the users Telnet
session "Chpass is currently disabled." and uncheck the box. This
allows you to change the password.
When I attempt to download the database with the csutil.exe
-d command, it results in the error message "Failed to initialize
crypto API". What does this mean?
A. You receive this error message when you log into a Cisco Secure ACS
Server with an account other than the local admin account. This causes the
inability of the csutils command to run.
Another cause for this error is that the passwords and AAA keys in the
ACS database are encrypted with the help of the Microsoft Crypto API. Only
local administrators and the actual system are able to access the important
information needed in order to decrypt these passwords and keys.
When I attempt to upgrade from Cisco Secure ACS for Windows 3.0.3 to 3.2,
I receive the "ACS FOLDER IS LOCKED BY ANOTHER APPLICATION" error message. What
do I need to do?
A. Complete these steps.
Run the Filemon utility in order to check for any "sharing
violations" while you try the installation.
Note: Do not use terminal services in order to
upgrade and disable the service temporarily.
Change the System Configuration > Service Control >
Manage Directory to only keep the last seven files.
When I try to bring up the GUI, I get an Invalid
administration control error. The installation is successful,
and the services run. What is the problem?
A. This problem is usually seen when the browser has a proxy server
configured. In order to fix this, disable the proxy server completely and then
bring up the ACS administration screen.
I see odd things in the ACS GUI. For example, the same users appear in
multiple groups and I cannot delete users from the database. How do I fix this
kind of corruption?
A. Complete these steps in order to add a user:
Add a new record to the end of the file.
Create an index path to the new record.
If there is an interruption of the CSAuth services during this process,
it is possible that the record is in the database. However, it cannot be edited
because it uses a lookup through the indexing code.
In order to clean up the database, go into the command line and issue
the $BASE\utils\csutil -q -d -n -l dump.txt
$BASE is the directory where the software is installed. This command
causes the database to be unloaded and reloaded in order to clear up the
I cannot start services for RADIUS after I re-install the software
several times. The event error says that service was terminated with
service specific error 11.
A. There are several different reasons why you are not able to start the
CSRadius service. The most common problem is running Windows with an
unsupported service pack, or there is software contention with another
application. Supported platforms and service packs are specified in the
In order to check for port conflicts, go to the command line of the
server and issue the netstat -an | findstr 1645 and
netstat -an | findstr 1644 commands to see if any
other service uses these User Data Protocol (UDP) ports. If another service
uses these ports, you see something similar to this output:
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
Another possible cause of the error message is that Microsoft Server
services probably has not started. In order to check this, select
Control Panel > Services and ensure that the Server service
options for Started and Automatic are
The ACS installation fails and I see an error about NSLDAPSSL32V30.dll
that says it cannot overwrite the file. What causes this and how do I resolve
A. This error can be caused by contention with an installation of Cisco
Secure VPN Client version 1.1. Resolve the conflict with the removal of the VPN
Client from the system.
I cannot connect the ACS Solution Engine (SE) with an external Windows
A. The reason for this issue is the external Windows database is a 64-bit
operating system. ACS products with ACS version prior to 4.2.1 do not work with
the 64-bit operating system. In ACS version 4.2.1 and later the 64 bit
operating system is supported and hence you are able to connect the ACS
Solution Engine (SE) with an external Windows database.
How can I enable IETF pair # 80 - framed-pool on a Cisco Secure ACS?
A. You cannot directly edit this attribute because the ACS GUI already has
an option on how to set this value.
Within the "IP address assignment" section of the group editing, you
have three options: "no ip address assignment", "assigned by dialup client",
and "Assigned from AAA client pool". There is a fourth option, "Assigned from
AAA server pool", if you have the pools assigned.
You need to use the third option ("Assigned from AAA client pool").
Setting this and then setting the name of the pool will return this value in
attribute 88. User-side settings have these options if you need this to be
configured at a per-user level. Also, you need to set the AAA client to
authenticate using RADIUS (IETF).
Are there any tools available that can be used to access and/or sort
through the files?
A. No tools are supplied with ACS. For additional information, see
Does Cisco recommend a software application that can be
used to report on accounting logs available in ACS?
The ACS has been reconfigured to require a user name and password to log
in locally. Now everyone is locked out. How do I fix this?
A. The solution to this problem depends on the version of software in
place. No matter what software version you have, be sure to back up the NT
In early versions of ACS, the user name and password requirement for
local login is modified in the registry. Issue the
regedit command and search for allow
AutoLocalLogin. Change the registry value to 1
in order to allow local login, and then recycle the services.
In ACS versions 2.6 and later, issue the regedit
command and remove the users in this location:
Under the Administrators key, see all the administrators that you have
created. Delete the users and exit the registry. When you access ACS, you are
not prompted for a user name and password. Once you are in the GUI, add
The ACS documentation chapter on Cisco Secure ACS Command-Line Database
utility explains how to bulk import a large number of users into ACS with the
csutil -i command. How do I bulk import network
access servers (NASes)?
A. The procedure used to bulk import NASes is similar to the import of
users. This flat-file is an example:
The NASes can also be imported into a particular Network Device Group.
This flat-file is an example:
How do I obtain ACS 3.2 in order to upgrade to an earlier version?
A. For more information, refer to
& A for Cisco Secure ACS Version 3.2 for Windows 2000 and NT.
How do I configure the Novell Directory Server (NDS) database?
A. If you select NDS Server Support, complete these
See your Novell NetWare administrator in order to get the names and
other information for the tree, container, and context.
Click NDS Server Support.
Enter a name for the configuration. This name is for informational
Enter the tree name.
Enter the full context list, separated by dots (.). Separate
multiple context lists with a comma and space.
For example, if your organization is Corporation, your organization
name is Chicago, and you want to enter two context names (Marketing and
Engineering), enter this information:
You do not need to add users in the context list.
Changes take effect immediately. You do not need to restart the
Caution: If you click Delete, your NDS database settings
How can I find out the exact release of my ACS software?
A. There are two ways you can use in order to check the release.
When you bring up the browser, look for this at the bottom of the
Cisco Secure ACS v2.3 for Windows NT
Bring up the DOS prompt on the Cisco Secure machine and run:
D:\Program Files\Cisco Secure ACS v2.3\Utils>csutil
CSUtil v2.3(2.4), Copyright 1997, Cisco Systems Inc.
My ACS Logged In Users report works with some devices, but not with
others. What is the problem?
A. In order for the Logged In Users report to work (this also applies to
most other features that involve sessions), packets need to include at least
Authentication Request packet
Accounting Start packet
Accounting Stop packet
Attributes (such as nas-port and
nas-ip-address) that appear in multiple packets
need to contain the same value in all packets.
If a connection is so brief that there is little time between the start
and stop packets (for example, HTTP through the PIX), then logged-in users do
ACS versions 3.0 and later allow the device to send either
When I access the ACS GUI through a firewall, the address for the server
in the URL field changes from a global IP address to a local address. Why does
A. In the current version of ACS 3.0, this problem has been addressed. The
global IP address does not change when you change to subsequent pages after the
Can a user be in more than one group at a time?
A. No. A user cannot be in more than one group at a time.