Cisco ACS 5.5 - How to download a file from ACS. [SOLVED]

I tried to use PuTTY (as usual) to get the output of “show tech-support” command. I don’t know why, but I got is screwed up (some “Word Wrap” problem). I tried to use some workaround: redirect the output to the file and then transfer it to my PC via FTP:

hostname/admin# show tech-support file 2014-10-30-tech-support
/opt/system/bin/show_tech.sh: line 171: sdparm: command not found
connect: Network is unreachable
% Error: acs manifest has no TAC information
hostname/admin# dir

Directory of disk:/

     105808 Oct 30 2014 11:03:34  2014-10-30-tech-support.tar.gz
          0 Jun 19 2014 10:19:39  acsRuntime.log
       4096 Jun 19 2014 10:19:39  config/
      16384 Jan 03 2014 04:39:36  lost+found/

           Usage for disk: filesystem
                  188813312 bytes total used
                62417653760 bytes free
                66013917184 bytes available
hostname/admin#
hostname/admin# copy disk:/2014-10-30-tech-support.tar.gz ftp://1.1.1.1/

You must use disk:/ instead of just file name and you can’t use username and password in FTP URL like ftp://user:pass@hostname.

That’s it guys!

Cisco ACS 5.5 - How to add SFTP repository and configure scheduled backup. [SOLVED]

I’ve created a short note about “freeSSHd” few moments ago. I’ve installed it for ACS, to store a Backup files.

Add a repository (by CLI or Web GUI). Anyhow, you have to add “hostkey” (RSA) for the SFTP server manually using CLI. If you wouldn’t do that you will get the following:

hostname/admin# show backup history
Thu Oct 30 14:13:48 PDT 2014: backup test-141030-1413.tar.gpg to repository Backup: error - transfer failed
hostname/admin#
hostname/admin# show repository Backup
% Error : Operation failed due to one of the following reasons
1. host key is not configured
2. host key is removed because of re-image
3. host key is removed from some other repository having same ip/hostname
% Please add the host key using the crypto host_key exec command
% SSH connect error
hostname/admin#
hostname/admin# repository Backup
% Warning: Host key of the server must be added using 'crypto host_key add' exec command before sftp repository can be used.
hostname/admin(config-Repository)#

GUI says:

Note: Host key of sftp server must be added through CLI using host-key option

The solution is really simple:

hostname/admin# crypto host_key add host 1.1.1.1
host key fingerprint added
# Host 1.1.1.1 found: line 1 type RSA
1024 ad:ea:e2:44:83:db:04:f8:56:1c:56:a5:49:be:65:38 1.1.1.1 (RSA)
hostname/admin# show crypto host_keys
1024 ad:ea:e2:44:83:db:04:f8:56:1c:56:a5:49:be:65:38 1.1.1.1 (RSA)
hostname/admin#

Then you can configure scheduled backup using official documentation:

ACS Backup with an FTP Repository Configuration Example.
Configuring Data Purging and Incremental Backup.

Basically you have to look thru the following configuration sections:
• acsadmin > System Administration > Operations > Scheduled Backups
• acsview > Monitoring Configuration > System Operations > Data Management > Removal and Backup

How to install freeSSHd. [SOLVED]

Just real quick.

I’ve spent so much time to set this up, so… let it be documented.

Download freeSSHd (current version of freeSSHd.exe is 1.2.6), install it (tested on “Microsoft Windows Server 2012 R2 Standard” as a part of AD infrastructure). If you try to start the application (for example, using a Shortcut) you get an error:

You don’t have administrator rights! freeSSHd will close!

I asked an uncle Google and got the answer. Just use it.

Then you have to stop the service (using services.msc) and unload already started instances. This is really important. You can check if it’s running or not from CMD:

PS C:\Users\admin> netstat -an | Select-String ":22"
PS C:\Users\admin>

Then start freeSSHd.exe using Shortcut “As Administrator” (important) and then configure it (folder, users). Then you can stop it and start the service and logout from the server. You can do the final check using WinSCP.

This is how it goes.

Cisco ACS 5.5 - NIC Teaming or Bonding interfaces.

If you have Cisco ACS installed on standalone server like SNS-3400 you are probably looking for some basic solution to increase availability/redundancy for that service. There’s one option which is available in ACS 5.5. Some quotes below.

Cisco ACS 5.5 - Q&A > New Features:

• NIC bonding (a virtual IP address shared by all enabled Ethernet interfaces)

Release Notes for Cisco Secure Access Control System 5.5 > System Operation Enhancements > NIC Bonding

NIC Bonding—ACS supports the bonding of two physical interfaces into a single virtual interface. This feature is called Network Interface Card (NIC) Bonding. This bonding of two physical interfaces into one virtual interface helps ACS process the authentication requests when one of the two interfaces go down. When one physical interface in the bond goes down, the other physical interface in the same bond works as a standby and processes all the requests that comes to this bonding. The NIC bonding feature in ACS provides a backup of one physical interface only when the other interface is down; the other general features of NIC bonding, such as load balancing, are not supported. In ACS 5.5, you can create two bonds with the available four Ethernet interfaces.

There some more detailed info in Installation and Upgrade Guide for Cisco Secure Access Control System 5.5 > Bonding Ethernet Interfaces:

Guidelines for creating NIC bonding in ACS:

• Bond 0—You can combine Ethernet interface 0 and Ethernet interface 1 to make bond 0. Ethernet interfaces 0 and 1 act as slaves of bond 0. For bond 0, Ethernet interface 0 is the primary slave, and Ethernet interface 1 is the secondary slave. Therefore, when Ethernet interface 0 goes down, Ethernet interface 1 acts as a backup for Ethernet interface 0 and processes all requests. Ethernet interface 1 cannot be the primary slave in bond 0. Bond 0 takes the IP address of Ethernet interface 0 and removes the IP address of Ethernet interface 1. Bond 0 takes the MAC address of Ethernet interface 0 and assigns the same to Ethernet interface 1.

• Bond 1—You can combine Ethernet interface 2 and Ethernet interface 3 to make bond 1. Ethernet interfaces 2and 3 act as slaves of bond 1. For bond 1, Ethernet interface 2 is the primary slave, and Ethernet interface 3 is the secondary slave. Therefore, when Ethernet interface 2 goes down, Ethernet interface 3 acts as a backup for Ethernet interface 2 and processes all requests. Ethernet interface 3 cannot be the primary slave in bond 1. Bond 1 takes the IP address of Ethernet interface 2 and removes the IP address of Ethernet interface 3. Bond 1 takes the MAC address of Ethernet interface 2 and assigns the same to Ethernet interface 3.

• ACS can have only two bonds, bond 0 and bond 1, as stated above. You cannot bond interfaces 1 and 2 together. It is not possible to make the Ethernet 2 or Ethernet 3 interfaces a backup interface for Ethernet 0.

• Within a single bond, the two physical Ethernet interfaces that are involved should be from the same subnet. You cannot create interface bonding with Ethernet interfaces from different subnets. Ethernet interface 0 should be assigned an IPv4 address before creating bond 0. Similarly, you cannot create bond 1 without an IPv4 or IPv6 address assigned to Ethernet 2 interface.

• Ethernet interface 0 acts as both the management interface and the runtime interface, whereas the other three interfaces act as runtime interfaces. In ACS, you can create bond 0 and leave the Ethernet interfaces 2 and 3 as is. In this case, bond 0 acts as a manangement and runtime interface, and Ethernet interfaces 2 and 3 act as runtime interfaces. If you create two bonds, bond 0 and bond 1, bond 0 acts as a management and runtime interface, and bond 1 acts as a runtime interface.

• You can change the IP address of the primary slave interface in a bonding. The new IP address is assigned to the bonding interface because bonding takes the IP address of the primary slave.

• When you break the interface bonding, the IP address assigned to the bonding interface is assigned back to the primary slave interface. The secondary slave will be down without any IP address. You must manually configure an IP address for the secondary slave.

• If you want to configure interface bonding to an ACS instance in a distributed deployment, deregister the ACS instance from the deployment, configure interface bonding, and then register the ACS instance back to the deployment.

Well, based on all mentioned info, I concluded that it works as Mode 1:

Mode 1 - active-backup

Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

Then I did some tests with Switches and SNS-3400 server. I’ve lost only 2 pings during reconnection procedure. Both bonded interfaces have the same MAC and IP addresses, but they are acting as active-backup, so you don’t need to do any special configuration for switches. You can just connect server ports into different switches and one VLAN and that’s it. You are all set.

Cisco ACS 5.5 - Patch installation. [SOLVED]

Официальная документация “Upgrading the Cisco Secure Access Control System” не содержит подробной инфы и примера, как себя должна повести железка и время восстановления…

Итак, сначала скачиваем патч (в моем случае это 5-5-0-46-6.tar.gpg) и Readme к нему. Заливаем на репозитарий (в моем случае, это обычный FTP сервер запущенный на лаптопе). Лично я использую Quick ‘n Easy FTP Server Lite Version 3.2 потому, что он работает на всех виндах портабильный.

Смотрим текущую версию софта. Ради интереса смотрим состояние сервиса. Его состояние, как я понял, неважно для апгрейда, все равно он будет выключен.

acs-test-1/admin# show application version acs

Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.5.0.46
Internal Build ID : B.723

acs-test-1/admin#
acs-test-1/admin# show application status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#

Далее создаем репозитарий. Можно сделать через Web GUI, но можно все делать через консоль, в любом случае устанавливать патча нужно из CLI. И смотрим какие доступны файлы.

acs-test-1/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
acs-test-1/admin(config)#  repository TEMP
acs-test-1/admin(config-Repository)# url ftp://10.0.0.254/
acs-test-1/admin(config-Repository)# user ftpuser password plain ftppass
acs-test-1/admin(config-Repository)# do show repository TEMP
5-5-0-46-6.tar.gpg
Acs-55Patch6-Readme.txt
acs-test-1/admin(config-Repository)#
acs-test-1/admin(config-Repository)# exit
acs-test-1/admin(config)# exit
acs-test-1/admin#

Загружаем патч, отвечаем ДА на вопрос о перезагрузке сервера. Сервер уходит в ребут и вернется минуты через 3, но сервис поднимется минут через 6 в общей сложности.

acs-test-1/admin# acs patch install 5-5-0-46-6.tar.gpg repository TEMP
 MD5: 2d13ba8888b572c09d84905b70265656
 SHA256: 396aa5860ca181854e020ac9a693f28ff8926d0aa5b1a3d1bb0a7271c027e194
% Please confirm above crypto hash matches what is posted on Cisco download site.
% Continue? Y/N [Y] ? y
Installing ACS patch requires a restart of ACS services. Continue?  (yes/no) yes
Calculating disk size for /opt/CSCOacs/patches
Total size of patch files are 810 M.
Max Size defined for patch files are 2000 M.
Stopping ACS.
Stopping Management and View...............................................................
Stopping Runtime...........................
Stopping Database........
Stopping Ntpd...............
Cleanup..
Stopping log forwarding .....
Installing patch version '5.5.0.46.6'
Installing ADE-OS 2.0 patch.  Please wait...
About to install files
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
Removing old war
This patch includes security fixes which requires ACS server reboot. It is highly recommended to proceed with reboot
Do you want to reboot the server ? Y/N : y
You have choosen to reboot the server, Rebooting ...

Broadcast message from root (pts/1) (Mon Oct 20 14:51:30 2014):

The system is going down for reboot NOW!

Broadcast message from root (pts/1) (Mon Oct 20 14:51:30 2014):

The system is going down for reboot NOW!
/opt/CSCOacs/patches/5-5-0-46-6
Patch '5-5-0-46-6' version '5.5.0.46.6' successfully installed
Starting ACS ....

To verify that ACS processes are running, use the
'show application status acs' command.
acs-test-1/admin#

Когда сервер вернулся проверяем версию и статус:

login as: admin
Using keyboard-interactive authentication.
Password:
Last login: Mon Oct 20 14:37:49 2014 from 10.0.0.254
acs-test-1/admin# show application version acs

Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.5.0.46.6
Internal Build ID : B.723
Patches :
5-5-0-46-6

acs-test-1/admin#
acs-test-1/admin# show app status acs

ACS is busy applying a recent configuration change
requiring enabling/disabling of processes.
Status is unavailable.
Please check again in a minute.

acs-test-1/admin# show app status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                Changed
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#
acs-test-1/admin# show app status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running (HTTP is nonresponsive)
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#
acs-test-1/admin# show app status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'ntpd'                      running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

acs-test-1/admin#

На этом все. У меня установка патча прошла успешно на стенде VMware и на боевом сервере.

Admin area