Cisco ACS 5.X - How to unlock ADE-OS account.

Today I locked my ADE-OS account by typing wrong password multiple times:

Access denied
Using keyboard-interactive authentication.
Account locked due to 6 failed logins
Password:

This is default behavior due to configured policy:

password-policy
  lower-case-required
  upper-case-required
  digit-required
  no-username
  disable-cisco-passwords
  min-password-length 8
  password-lock-enabled
  password-lock-retry-count 5

Here is a command how to check if the account locked or not:

ACS/username_temp# show users status

USERNAME         ROLE   DISABLED        LOCKED
username         Admin                  *
username_temp    Admin
ACS/username_temp#

The thing is there’s NO way to unlock the username (for example to ask you teammate to unlock your account if you remember the password). There’s only one way to solve the issue - delete the account and create it again. If you have only one account configured - bad news - password recovery procedure (system reload is required) would be your only choice.

Cisco ACS 5.X - How to configure it for APC UPS (NMC/NMC2) RADIUS Authentication.

If you’d like to use RADIUS server for APC NMC/NMC2 Authentication, you should know there are 4 user types available:
• Administrator
• Device
• Read-Only
• Network-Only

By default (without specific configuration on RADIUS server side) you will get Read-Only rights. There are two ways how to configure Cisco ACS 5.X to provide Administrator privilege:

Proper way

• Add APC VSA attributes to the dictionary:
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “Create” > “Name: APC”, “Vendor ID: 318” > Submit.
– “System Administration” > “Configuration” > “Dictionaries” > “Protocols” > “RADIUS” > “RADIUS VSA” > “APC” > “Create” > “Attribute: APC-Service-Type”, “Vendor Attribute ID: 1”, “Attribute Type: Unsigned Integer 32” > “Submit”.
• Create an “Authorization Profile”: “Policy Elements” > “Authorization and Permissions” > “Network Access” > “Authorization Profiles” > “Create” > “Name: APC_Admin” > go to “RADIUS Attributes” tab, add “APC-Service-Type” as “Static” with value 1 (to get Administrator user privilege) > “Submit”.
• Use created “Authorization Profile” in “Access Policies”…

Simplest way

Instead of adding a new VSA attribute, you can use RADIUS IETF named “Service-Type” (ID: 6) and configure it to provide “Administrative” value (ID: 6). It will work the same way as previous one. Checked.

Useful links

How to configure RADIUS server to authenticate APC Network Enabled device? (Official KB FA156083 article)
How to configure FreeRADIUS for APC UPS Authentication (Official KB FA232648 article)

SolarWinds NCM “Device Template” for Cisco ACS 5.6. [TESTED]

By default, NCM don’t have a special “Device Template” for Cisco ACS 5.X, NCM chooses the closest template by SysObjectID. BTW, it differs and depends on particular ACS version. For example, ACS 5.6 has 1.3.6.1.4.1.9.1.1117. Default template for Cisco IOS works fine, but ADE-OS on ACS 5.X (at least on 5.5 and 5.6) requires proper SSH session closing (by using exit).

You can find a template for ACS on thwack, it’s ok, but it needs to be modified. Here are some important changes:

... Device="Cisco ACS 5.6" SystemOID="1.3.6.1.4.1.9.1.1117" ...
... Name="DownloadConfig Value="show ${ConfigType}${CRLF}exit" ...

SolarWinds - “Last Boot” OID - False positive ACS server restart.

This morning I’ve noticed an event in SolarWinds:

ACS-01.example.com rebooted at 2/28/2015 03:20:00 PM

Then I checked it from ADE-OS CLI:

ACS-01/admin# show uptime
97 day(s), 05:14:30
ACS-01/admin#

This output looks like an Uptime OID (HOST-RESOURCES-MIB::hrSystemUptime.0):

snmpwalk -c 'COMMUNITY' -v 2c 192.168.1.1 1.3.6.1.2.1.25.1.1.0
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (840434124) 97 days, 5:21:21.24

But SolarWinds uses another one OID to get “Last Boot” info - “DISMAN-EVENT-MIB::sysUpTimeInstance.0”. SolarWinds gets this info every “Polling Interval” (120 sec by default):

snmpwalk -c 'COMMUNITY' -v 2c 192.168.1.1 1.3.6.1.2.1.1.3.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (17154318) 1 day, 23:39:03.18

I checked log messages and found that snmpd has been rebooted, but nothing related to real cause of this reboot…

ACS-01/admin# show logging system | i snmp
         23 Feb 28 2015 09:40:01  snmpd.log
ACS-01/admin#
ACS-01/admin# show logging system snmpd.log
NET-SNMP version 5.7.1
ACS-01/admin#

That’s why I’ve opened TAC case and got an explanation - https://tools.cisco.com/bugsearch/bug/CSCte39351:

Symptom: ACS SNMP daemon stopping

Workaround:
- reboot ACS appliance
- restart ACS SNMP daemon

Per Cisco TAC reply, the fix for the bug will be released on ACS 5.7 which is planned for May of this year.

Some other links (not really useful):
A false alert, indicating that a monitored object has rebooted, is firing, when the monitored object is actually up and functioning as normal. - It recommends to create custom poller, but it will not replace existed one, so this is useless.
Polling and reporting real uptime - Good thing, but it’s too complicated.

Cisco ACS 5.X - How to capture the network traffic. [TESTED]

This is simple, but not all filter expressions are allowed. For example, if you need to see CDP frames ONLY using filter like this: ‘ether[20:2] == 0×2000′ you would probably like to install Cisco ACS 5.X Root Pacth to get it done.

Example

Here is an example how to capture 200 packets to/from 192.168.1.251 on bond0 interface and save the result as example10.cap file. You can stop it anytime by pressing Ctrl+C key.

hostname/admin# tech dumptcp "-i bond0 -s 0 -w example10.cap -c 200 host 192.168.1.251"
Invoking tcpdump. Press Control-C to interrupt.
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
12 packets captured
12 packets received by filter
0 packets dropped by kernel
hostname/admin#
hostname/admin# dir | i \.cap
      64445 Oct 31 2014 10:36:16  example01.cap
     328264 Oct 31 2014 10:49:40  example02.cap
       1110 Jan 12 2015 13:54:08  example10.cap
hostname/admin#

Then you can upload the file to you local PC to analyze:

hostname/admin# copy disk:/example10.cap ftp://1.1.1.1/

Admin area