Installation Guide for Cisco Secure ACS Solution Engine 4.2
Installing and Configuring Cisco Secure ACS Solution Engine
Download this chapter
Installing and Configuring Cisco Secure ACS Solution EngineInstalling and Configuring Cisco Secure ACS Solution Engine
Download the complete book
Installation Guide for Cisco Secure ACS Solution Engine 4.2Installation Guide for Cisco Secure ACS Solution Engine 4.2 (PDF - 3 MB)
 Feedback

Table Of Contents

Installing and Configuring Cisco Secure ACS SE 4.2

Installation Quick Reference

Installing the Cisco 1113 in a Rack

Attaching the Chassis Rail Mount

Attaching the Server Rail

Sliding Chassis on the Rack

Connecting to the AC Power Source

Connecting Cables

Initial Configuration

Establishing a Serial Console Connection

Configuring ACS SE

Verifying the Initial Configuration

Setting Up a GUI Administrator Account

Turning Ping On or Off

Enable ICMP Ping

Disable ICMP Ping

Next Steps


Installing and Configuring Cisco Secure ACS SE 4.2

This chapter describes how to install and initially configure Cisco Secure ACS SE 4.2.

This chapter contains:

Installation Quick Reference

Installing the Cisco 1113 in a Rack

Connecting to the AC Power Source

Connecting Cables

Initial Configuration

Verifying the Initial Configuration

Turning Ping On or Off

Next Steps

Note The details in this guide correspond to the CSACSE-1113-K9 platform only.

Installation Quick Reference

Table 3-1 provides a high-level overview of the installation and initial configuration process. For installation and initial configuration, see the User Guide for Cisco Secure ACS 4.2 for information on how to use a browser and the web interface to fully configure your ACS SE to provide the AAA services that you want from this installation.

Table 3-1 Quick Reference 

Task
References

Use the rack mount kit to install the ACS SE in a rack.

Installing the Cisco 1113 in a Rack

Connect the ACS SE to an AC power source.

Connecting to the AC Power Source

Connect network and console cables.

Connecting Cables

Perform initial configuration of the ACS SE.

Configuring ACS SE

Verify initial configuration.

Verifying the Initial Configuration

Configure ACS SE to provide AAA services.

Next Steps


Installing the Cisco 1113 in a Rack

Before installing the Cisco 1113 in a rack, read Preparing Your Site for Installation to familiarize yourself with the proper site and environmental conditions. Failure to read and follow these guidelines could lead to an unsuccessful installation and possible damage to the system and components. Perform the steps below when installing and servicing the Cisco Secure ACS SE.

The rack must be properly secured to the floor, to the ceiling or upper wall, and where applicable, to adjacent racks. The rack should be secured by using floor and wall fasteners, and bracing that the rack manufacturer specifies or industry standards approve.

When installing and servicing the ACS SE:

Disconnect all power and external cables before installing the system.

Install the system in compliance with your local and national electrical codes:

United States: National Fire Protection Association (NFPA) 70; United States National Electrical Code.

Canada: Canadian Electrical Code, Part, I, CSA C22.1.

Other countries: If local and national electrical codes are not available, see IEC 364, Part 1 through Part 7.

Do not work alone under potentially hazardous conditions.

Do not perform any action that creates a potential hazard to people or makes the equipment unsafe.

Do not attempt to install the ACS SE in a rack that has not been securely anchored in place. Damage to the system and personal injury may result.

Due to the size and weight of the computer system, never attempt to install the computer system by yourself.

See Precautions for Rack-Mounting for additional safety information on rack installation.

Warning

To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety:

This unit should be mounted at the bottom of the rack if it is the only unit in the rack.

When mounting this unit in a partially filled rack, load the rack from the bottom to the top with the heaviest component at the bottom of the rack.

If the rack is provided with stabilizing devices, install the stabilizers before mounting or servicing the unit in the rack.


The server can be installed in a system 1U rack. The rack rail components are as follows (numbers in parentheses refer to Figure 3-1):

2 telescopic rails (1, 2)

Bag containing:

8 Round head screws with washer (3)

2 Round head screws (4)

10 Cage nuts (5)

Figure 3-1 Rack Rail Components

To install the Cisco 1113 in a rack:

1. Attach the chassis rail mount to the chassis (see Attaching the Chassis Rail Mount).

2. Attach the server rail to the rack assembly (see Attaching the Server Rail).

3. Slide the chassis on to the rack assembly (see Sliding Chassis on the Rack).

Attaching the Chassis Rail Mount

You must first remove the chassis rail mount section from the server rail and attach it to the chassis.

To attach the chassis rail mount:

Step 1 See Figure 3-2. Extend the server rail as far as it will go. When fully extended, the server rail locks into the extended position.

Figure 3-2 Removing the Chassis Rail Mount

Step 2 See Figure 3-3. Slide the white tab (1) in the direction of its arrow and slide out the chassis rail mount part. (Set it aside for attaching to the chassis in the next step.)

Figure 3-3 Sliding the Chassis Rail Mount Release Tab

Step 3 Align the holes in the chassis rail mount to the pegs on the chassis (1 and 2 in Figure 3-4).

Figure 3-4 Positioning Chassis Rail Mount on Chassis

Step 4 See Figure 3-5. Align the holes (1) and then slide the rail until it locks into place (2).

Figure 3-5 Attaching Chassis Rail Mount to Chassis

Figure 3-6 shows the chassis rail mount locked into place.

Figure 3-6 Chassis Rail Mount in Locked Position

Attaching the Server Rail

Now that you have mounted the chassis rail mount, retract the server rail that you previously extended and then attach it to the rack. If you have already retracted the server rail, go to step 2.

Procedure

Step 1 To retract the arm of the server rail, push the tab as shown in Figure 3-7. Then slide the arm back in.

Figure 3-7 Retracting the Server Rail

Step 2 Attach the server rail to the rack as shown in the figure that corresponds to your rack:

For a square-peg rack, see Figure 3-8.

For a circular-peg rack, see Figure 3-9.

Figure 3-8 Attaching Rail to a Square-Peg Rack

Figure 3-9 Attaching Rail to a Circular-Peg Rack

Step 3 Repeat this process with the other rail and rack assembly.

Note When you leave some place between the bracket and the rail until you install the rail into the rack, will make it easier to affix the rail to the rack. After the rail is attached to the rack, you can tighten the screws.

Sliding Chassis on the Rack

Step 1 See Figure 3-10. On the chassis rail mount, slide and hold the purple tab in the direction of the arrow. This allows the chassis rail mount to slide on to the rail.

Figure 3-10 Sliding the Chassis Rail Mount Extended Tab

Step 2 Insert the chassis in the rack. See Figure 3-11.

Figure 3-11 Sliding Chassis onto Rack

Slide the chassis back and forth several times. Fasten with all the screws.

Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that you use a fuse or circuit breaker no larger than 120 VAC, 15A (U.S./CAN); 240 VAC, 10A (INTERNATIONAL). Statement 1005

Connecting to the AC Power Source

Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024

Connect the AC power receptacle to the AC power source with the provided power cable.

Connecting Cables

Use UTP, copper-wire Ethernet cable, with standard RJ-45-compatible plugs, to connect the ACS SE to the network.

To connect the cables:

Step 1 Plug the network connection into the Ethernet 0 port (NIC 1). See Figure 1-3 for the location of the Ethernet 0 port.

Step 2 Connect a console to the console or serial port using the supplied serial cable and, if necessary, the DB-9-to-RJ-45 console adapter. See Figure 1-3 for the location of the serial port.

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity.

Initial Configuration

The first three steps of the four steps that are required to configure the ACS, are documented in this manual:

Establishing a Serial Console Connection

Configuring ACS SE

Verifying the Initial Configuration

Note You perform the fourth and final part of the configuration, which includes providing AAA services by establishing administrative and user accounts, and configuring network connections, from the web interface. For more information, see User Guide for Cisco Secure ACS 4.2.

Establishing a Serial Console Connection

Before you can perform the initial configuration of ACS SE, you must establish a serial console connection to it. This procedure requires a PC, two DB-9 to RJ-45 adapters (provided), an RJ-45 cable (provided), and terminal emulation communication software (Hyper Terminal or equivalent).

To establish a serial console connection:

Note If you performed the procedure in Connecting Cables, you can skip to Step 2.

Step 1 Connect a console to the serial console port on the back panel:

a. Attach a DB-9 to RJ-45 adapter (provided) to the serial port of the console.

b. Attach a DB-9 to RJ-45 adapter (provided) to the serial port of the ACS SE. For the location of the serial port, see Figure 1-3.

c. Use an RJ-45 cable (provided) to connect the console to the ACS SE.

Tip You may also use a serial concentrator connection, if desired.

Step 2 Power on ACS SE and the console, and open your terminal emulation communication software on the console.

Tip See Figure 1-2 for the location of the power switch on ACS SE.

Step 3 Set your terminal emulation communication software to operate with the following settings:

Baud = 115200

Databits = 8

Stops = 1

Flow control = None

Terminal emulation type = ANSI

Result: The login: prompt appears.

Configuring ACS SE

You must configure the ACS SE when you boot the system for the first time and whenever you re-image the system. For more information on re-imaging the system, see Upgrade Scenarios.

Table 3-2 lists the essential configuration tasks that are unique to SE.

Table 3-2 SE Configuration Tasks

Task
Available Resources

Remote Agent configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/NetCfg.html#wp386216

System Configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html

ACS Back up

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html#wp222373

ACS Restore

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCBasic.html#wp330795

Certificate setup

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCAuth.html#wp373226

EAP-FAST PAC files configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCAuth.html#wp419531

Date/Time configuration

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html#wp288064

SNMP setup

On Cisco.com:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
user/guide/SCBasic.html#wp288047


Before you begin to configure the solution engine, you should have the following information:

Network hostname of the solution engine.

DNS domain name.

Administrator name and password.

Database password.

GUI administrator name and password.

Whether you will enable DHCP (enabling DHCP is not recommended).

IP, netmask, and gateway addresses you will assign to the ACS SE.

Whether you will be using NTP synchronization and, if yes, the address of the NTP server.

To configure ACS SE:

Step 1 Establish a serial console connection to the ACS SE; for details

see Establishing a Serial Console Connection.

Note If ACS SE is not configured (that is, it is new or has been re-imaged), the system displays the system information, including the software version.

Step 2 Confirm that the following information appears above the login prompt: 

Cisco Secure ACS: [version number]

Appliance Management Software: [version number]

Appliance Base Image: [version number]

CSA build [version number]: (Patch: [version number])

Status: Appliance is functioning properly

The ACS Appliance has not been configured. 
Logon as "Administrator" with password "setup" to configure appliance.

Note If this information does not appear and only the Cisco Secure ACS: [version number] prompt appears, you must reboot the appliance and then log in.

Step 3 At the Appliance Management Software: [version number] prompt, enter Administrator, and press Enter.

Note When you boot the system for the first time, it is not configured. You must log in as the command line interface (CLI) administrator to configure the system.

Step 4 At the password: prompt, enter setup, and press Enter.

Note The password is case sensitive.

Result: The console displays: 

Initialize Appliance.

Machine will be rebooted after initialization.

Entering Ctrl-C before setting appliance name will shutdown the appliance

Step 5 At the ACS Appliance name [deliverance1]:Appliance Base Image: [version number] prompt, enter the name that you intend to use for your ACS SE, and press Enter.

Tip The name can contain up to 15 letters and numbers, but no spaces.

Result: The console displays: 

ACS Appliance name is set to xxx.

Step 6 At theCSA build [version number]: (Patch: [version number]) DNS domain [ ]: prompt, enter the domain name, and press Enter.

Result: The console displays: 

DNS name is set to xxx.com.

You need to set the administrator account name and password.

Step 7 At the Enter new account name:Status: Appliance is functioning properly prompt, enter the ACS SE administrator account name, and press Enter.

Tip Only one ACS SE CLI administrator account can exist at a time.This account allows access only through a serial cable and CLI commands. You can change the account's credentials. For more information, see Chapter 4 "Administering Cisco Secure ACS Solution Engine."

Step 8 At the Enter new password: prompt, enter the new ACS SE password, and press Enter.

Note The new password must be unique and should not be identical to the last ten passwords that have been used. It must contain a minimum of 6 characters and include a mix of at least three character types: uppercase letters, lowercase letters, digits, and special characters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word. The password cannot contain the account name.

Step 9 At the Enter new password again: prompt, enter the new ACS SE password again, and press Enter.

Result: The console displays: 

Password is set successfully.

Administrator name is set to xxx.

Step 10 The following prompt appears for the new database password: 

Please enter the Encryption Password for the Configuration Store.

Please note this is different from the administrator account,

it is used to encrypt the Database.

Note It must contain a minimum of 6 characters, and it must include a mix of at least three character types: uppercase letters, lowercase letters, digits, and special characters. Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

Step 11 At the Enter new password: prompt, enter the new database password, and press Enter.

Step 12 At the Enter new password again: prompt, enter new database password again, and press Enter.

Result: The console displays: 

Password is set successfully.

Step 13 At the Would you like to add GUI Administrator now?: prompt, type y for yes or n for no, and press Enter.

Note If you do not enter y or n and press enter, the default value is (yes) is used.

Step 14 If you entered y, complete these steps:

a. When the The ACS Appliance has not been configured. Logon as "Administrator" with password "setup" to configure appliance. enter the new GUI administrator name.

The following prompt appears: 

Enter new password:

b. Enter the new password.

Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.

The following prompt appears: 

Enter new password again:

c. Enter the new password again.

Result: The console displays: 

GUI Administrator added successfully.

For more information on adding a GUI administrator account, see Setting Up a GUI Administrator Account.

Step 15 At the login prompt, enter Y for yes or N for no, and press Enter.

Note To set or change the IP address of your ACS SE, it must be connected to a working Ethernet connection.

Note A static IP address must be assigned to your ACS SE. You can set the IP address directly by answering Y to this step and performing the substeps detailed in Step 16. Alternatively, you may use a DHCP address if it assigns a single IP address that does not change.

Step 16 The following prompts appear only if you set a static IP address manually. Otherwise the following message appears: 

No change to the configuration.

Accept network setting [Yes]

a. To specify the ACS SE IP address, at the login: prompt, enter the IP address, and press Enter.

b. At the Initialize Appliance prompt, enter the subnet mask value, and press Enter.

c. At the Machine will be rebooted after initialization prompt, enter the default gateway value, and press Enter.

d. At theEntering Ctrl-C before setting appliance name will shutdown the appliance prompt, enter the address of any DNS server that you intend to use (separate each by a single space), and press Enter.

Note If you do not intend to use a DNS server, enter the IP address of the ACS SE at the [xx.xx.xx.xx] prompt. If you do not configure the ACS SE to use a DNS server, you must respond to all prompts for hostname or IP address only with an IP address.

Result: The console displays: 

IP Address is reconfigured.

e. At the ACS Appliance name is set to prompt, enter Y, and press Enter.

Result: The console displays: 

New ip address is set.

Default gateway is set to xx.xx.xx.xx

DNS servers are set to: xx.xx.xx.xx xx.xx.xx.xx.

f. At the prompt, enter Y, and press Enter.

Result: The IP address for the appliance will be set.

g. At the DNS name is set to prompt, enter Y, and press Enter.

Tip This step executes a ping command to ensure the connectivity of the ACS SE.

h. At the You need to set the administrator account name and password. prompt, enter the IP address or hostname of a device connected to the ACS SE, and press Enter.

Result: If successful, the system displays the ping statistics and displays the Test network connectivity prompt.

i. If network connectivity is validated in the previous two steps, at the prompt, enter N, and press Enter.

Tip The system continues to provide you with the opportunity to test network connectivity until you answer no. This means that you can correct network connections or retype the IP address.

Step 17 If the settings appear correctly, at thePassword is set successfully. prompt, enter Y, and press Enter.

Result: The console displays: 

Current Date Time Setting:

Time Zone: (GMT -xx:xx) XXX Time

Date and Time: mm/dd/yyyy

NTP Server(s): NTP Synchronization Disabled.

Step 18 To set the time and date of the ACS SE, at the Administrator name is set to prompt, enter Y, and press Enter.

Result: The console displays a numbered list of time zones.

Step 19 At the Please enter the Encryption Password for the Configuration Store. prompt, enter the index number of the appropriate time zone for your geography and, press Enter.

Result: The console displays the new time zone.

Step 20 At the Please note this is different from the administrator account, prompt, do one of the following:

To set the time manually, enter N, and press Enter.

To use an NTP server for setting time, enter Y, and when prompted, enter the IP address of the NTP server that you want.

Tip Only if you choose to use an NTP server, can you subsequently use the ntpsync command.

Result: The console displays a confirmation message reflecting your choice.

Step 21 At the it is used to encrypt the Database. prompt, enter the date in the given format, and press Enter.

Step 22 At the Password is set successfully. prompt, enter the current time in the given format, and press Enter.

Result: The console displays: 

Initial configuration is successful. Appliance will now reboot.

The system reboots.

Verifying the Initial Configuration

To verify that you have correctly completed the ACS SE initial configuration:

Before You Begin

Establish a serial console connection to the ACS SE. For details, see Establishing a Serial Console Connection.

Step 1 Reboot the ACS SE. For more information, see Rebooting the Solution Engine from a Serial Console.

Result: When the system boots, a Enter new GUI administrator name: prompt appears, prompt appears on the console.

Step 2 At the Enter new password: prompt, enter the new administrator name, and press Enter.

Step 3 At the Enter new password again: prompt, enter the password you created during initial configuration, and press Enter.

Step 4 At the GUI Administrator added successfully. prompt, enter show and press Enter.

Result: The console displays the status information.

Step 5 Verify that the information on the screen is correct.

Setting Up a GUI Administrator Account

After initial installation or re-imaging, unless you specified a GUI administrator account during the initial configuration using the setup script, only one administrator account exists: the CLI administrator account. This account allows access only through a serial console log in and CLI commands.

If you specified a GUI administrator account when prompted for one by the setup script, a GUI administrator account exists. However, before the designated GUI administrator user can use this account, you must unlock it by entering the unlock guiadmin command.

You can also set up an additional GUI administrator account that can access the SE.

To set up an initial web GUI account:

Step 1 Log in as the CLI administrator.

Step 2 If a GUI administrator account was specified during initial configuration using the setup script, enter the unlock guiadmin command to unlock the GUI administrator account: 

unlock guiadmin <Admin> <Password>

where Admin is the name of the GUI administrator account and Password is the password for the account.

Step 3 If no GUI administrator account has been set up or you want to add additional GUI administrator accounts, at the command prompt, enter:

add guiadmin

Result: The console displays: 

Adding new GUI Administrator

Note! All ACS services will be restarted.

GUI Administrator password policy is:

Password must be at least 4 character(s) long.

Step 4 At the Use Static IP Address [Yes]: prompt, enter the new GUI administrator name, and press Enter.

Step 5 At the No change to the configuration. prompt, enter the new password, and press Enter.

Note The password can only contain a maximum of 32 characters and a minimum of 4 characters.

Step 6 At the Enter new password again: prompt, enter the new password again, and press Enter.

Result: The console displays: 

GUI Administrator added successfully.

Note The new GUI administrator account is not usable until you unlock it by entering the unlock guiadmin command.

Now, you can now use the GUI administrator account to remotely access the ACS GUI running on the ACS SE.

Turning Ping On or Off

After the installation and initial configuration, you can enable the Internet Control Message Protocol (ICMP) ping via the CLI administrator account or the GUI administrator account.

Note By default, ICMP ping is disabled on the Solution Engine.

This section describes the tasks you need to perform to Enable or Disable ICMP ping on the appliance.

Enable ICMP Ping

Note To enable ICMP ping, you must first install the applAcs_4.x-PingTurnOn_CSCsf15057_Patch.zip on the appliance. After this, you must copy the applAcs_4.x-PingTurnOn_CSCsf15057_Patch.zip file to the windows system from which you are running the .bat file.

To Enable ICMP ping on the appliance:

Step 1 Extract the files in the applAcs_4.x-PingTurnOn_CSCsf15057_Patch.zip folder in the windows system from which you are running the .bat file.

Step 2 Run the autorun.bat file.

Step 3 In the CLI, at the system prompt, enter stop csagent, and press Enter.

Result: The console displays: 

Stopping service: CSAgent. . . . . . 

CSAgent is stopping

CSAgent is not running

Step 4 At the system prompt, enter download <ip address>, and press Enter.

Where ip_address is the IP address of the machine from which you are running the .bat file. For example, enter download 198.133.219.25.

Result: The console displays: 

Attempting to download package 'applAcs_4.x PingTurnOn_CSCsf15057 Patch' Version

: 0 Patch: 1_0_0.

Successfully downloaded the package. Run upgrade command to install the package.

Step 5 At the system prompt, enter upgrade, and press Enter.

Result: The console displays: 

Extracting...

Verifying...

Signature is verified.

Signature is verified.

The certificate's subject CN=Cisco Systems, Inc.

The certificate's issuer CN=ACS CA, Cisco Systems, Inc.

Upgrade package applAcs_4.x PingTurnOn_CSCsf15057 PatchPatch: 1_0_0

Installing the patch could adversely affect the system.

Step 6 At the Accept network setting [Yes] prompt, enter Y for yes, and press Enter.

Result: The console displays: 

Installing applAcs_4.x PingTurnOn_CSCsf15057 Patch Patch: 1_0_0

Upgrading...

Upgrade process initiated successfully

(12/3/2007 3:50:25 PM) Attempting to install the CSA with ICMP Enabled

(12/3/2007 3:50:25 PM) Check if service CSAgent is running...

(12/3/2007 3:50:28 PM) !!!!!!! The service CSAgent is not running !!!!!!!

(12/3/2007 3:50:28 PM) Attempting to install the patch files

(12/3/2007 3:50:28 PM) Attempting to save the file rollbackhotfixpatch.wsf

(12/3/2007 3:50:28 PM) Attempting to save the file includeappliance.wsf

(12/3/2007 3:50:28 PM) Attempting to save the file ping-enable.exe

(12/3/2007 3:50:28 PM) applying applAcs_4.x-PingTurnOn_CSCsf15057_Patch

(12/3/2007 3:51:25 PM) Completed the installation of the CSA with icmp enabled

(12/3/2007 3:51:26 PM) Setting CSA start type to manual

Successfully upgraded applAcs_4.x PingTurnOn_CSCsf15057 Patch Patch: 1_0_0

The process cannot access the file because it is being used by another process.

Completed upgrade and system will be rebooted.

Result: CSAgent is installed.

Step 7 After the upgrade is completed, the appliance reboots automatically. You must restart the CSAgent after the appliance reboots.

At the system prompt, enterIP Address [xx.xx.xx.xx]:start csagent, and press Enter.

Result: The console displays: 

Starting service: CSAgent. . . . . . 

CSAgent is starting

CSAgent is running

Remote hosts can now ping the ACS SE device.

Disable ICMP Ping

Note To disable ICMP ping, you must first install the applAcs_4.x-PingTurnOff_CSCsk50309_Patch.zip on the appliance. After this, you must copy the applAcs_4.x-PingTurnOff_CSCsk50309_Patch.zip file to the windows system from which you are running the .bat file.

To disable ICMP ping on the appliance:

Step 1 Extract the files in the applAcs_4.x-PingTurnOff_CSCsk50309_Patch.zip folder in the windows system from which you are running the .bat file.

Step 2 Run the autorun.bat file.

Step 3 In the CLI, at the system prompt, enter stop csagent, and press Enter.

Result: The console displays: 

Stopping service: CSAgent. . . . . . 

CSAgent is stopping

CSAgent is not running

Step 4 At the system prompt, enter download <ip address>, and press Enter.

Where ip_address is the IP address of the machine from which you are running the .bat file. For example, enter download 198.133.219.25.

Result: The console displays: 

Attempting to download package `applAcs_4.x-PingTurnOff_CSCsk50309_Patch' Version

: 0 Patch: 1_0_0.

Successfully downloaded the package. Run upgrade command to install the package.

Step 5 At the system prompt, enter upgrade, and press Enter.

Result: The console displays: 

Extracting...

Verifying...

Signature is verified.

Signature is verified.

The certificate's subject CN=Cisco Systems, Inc.

The certificate's issuer CN=ACS CA, Cisco Systems, Inc.

Upgrade package applAcs_4.x-PingTurnOff_CSCsk50309 PatchPatch: 1_0_0

Installing the patch could adversely affect the system.

Step 6 At the Subnet Mask [xx.xx.xx.xx]:prompt, enter Y for yes, and press Enter.

Result: The console displays: 

Installing applAcs_4.x-PingTurnOff_CSCsk50309 Patch Patch: 1_0_0

Upgrading...

Upgrade process initiated successfully

(12/3/2007 3:50:25 PM) Attempting to install the CSA with ICMP Disabled

(12/3/2007 3:50:25 PM) Check if service CSAgent is running...

(12/3/2007 3:50:28 PM) !!!!!!! The service CSAgent is not running !!!!!!!

(12/3/2007 3:50:28 PM) Attempting to install the patch files

(12/3/2007 3:50:28 PM) Attempting to save the file rollbackhotfixpatch.wsf

(12/3/2007 3:50:28 PM) Attempting to save the file includeappliance.wsf

(12/3/2007 3:50:28 PM) Attempting to save the file ping-disable.exe

(12/3/2007 3:50:28 PM) applying applAcs_4.x-PingTurnOff_CSCsk50309_Patch

(12/3/2007 3:51:25 PM) Completed the installation of the CSA with icmp disabled

(12/3/2007 3:51:26 PM) Setting CSA start type to manual

Successfully upgraded applAcs_4.x-PingTurnOff_CSCsk50309 Patch Patch: 1_0_0

The process cannot access the file because it is being used by another process.

Completed upgrade and system will be rebooted.

Result: CSAgent is installed.

Step 7 After the upgrade is complete, the appliance reboots automatically. You must restart the CSAgent after the appliance reboots.

At the system prompt, enter start csagent, and press Enter.

Result: The console displays: 

Starting service: CSAgent. . . . . . 

CSAgent is starting

CSAgent is running

The pinging of the ACS SE device from remote hosts is now disabled.

Next Steps

After you have successfully performed the procedures in this guide, ACS SE is installed and initially configured. The next step is to log in using the GUI administrator account and use a browser and the web interface to fully configure the ACS SE to provide the AAA services that you want from this installation. The HTML address is in the following format: http://<ip address>:2002, where ip address is the address that you assign during configuration.

For information on setting up user, group, network, and other parameters, see the User Guide for Cisco Secure ACS 4.2.

Note The ACS Solution Engine automatically creates an entry called Self in the AAA Servers Table. This entry identifies the Solution Engine machine.

However, in the Proxy Distribution Table and the AAA Server Table for RDMS synchronization, the ACS Solution Engine creates an entry for the hostname of the device that is running the ACS Solution Engine.