AAA secondary ACS entry

Similar Questions

• Secondary ACS does not authenticate

  I install an ACS secondary, database replication works correctly.

  But when I try to use the ACS secondary server to authenticate the user, I can't authenticate successfully.

  In reports and activities (ACS secondary), it does not appear anything.

  In primary school, ACS, he failed attempts, I see an "unknown SIN" the ip address of the secondary ACS, it seems only secondary try to use elementary to authenticate...

  Where I'm wrong?

  Thank you

  Daniele

  Hi Daniele,

  It is because the parameter on the acs secondary proxy. On secondary acs visit acs--> configuration network--> table tell proxy---> bring your secondary acs under the front walk to the box.

  That should fix it.

  Kind regards

  ~ JG

  Note the useful messages

• Secondary ACS do not authenticate

  I have 2 ACS 1113 devices running 4.1 Build 24 (1). The first is the main and replica nightly on the secondary to our DR. Although in different places, they are both in the same VLAN with no. firewalls or an in-between of the lists to access them. All my devices will be authenticate with my primary ACS unless it is down, in which case they must authenticate the ACS secondary. The problem is that I have no problem with authentication on my ACS primary, but I can't get anything to authenticate to my high school (after the primary decision-making down to test). In trying to authenticate to my high school, I get no newspaper for authentication successful or failed after that my attempts fail. In addition, during my attempts fail, I try to log into devices locally and my authorization fails - again with no journal of the ACS. However, when I remove the NDG in the ACS secondary, I'm able to log on locally on the network device.

  I believe that with the device the NDG in the breast of the CSA, there is a communication omitting my attempts (although it does not connect anything) since I can take the device off that NDG and transmit local authentication. I was running code 4.0 with the same question and thought that the update should fix the problem... but obviously, I have something to do else here.

  Any comments or suggestions would be greatly appreciated.

  This on seconday acs.

  ACS---> configuration network ===> table Proxy Dis---> click default ===> if you see delivenrance 1 to the aaa Server---> drag it to 'Prior to'---> and what is there under forward to---> Drag it server aaa--> submit + apply.

  It should work now.

  If you do not see distribution proxy option then go to GBA--->---> advanced option interface configuration---> enable the distributed array.

  That should fix it.

  Kind regards

  ~ JG

  Note the useful messages

• Permission of AAA with ACS Shell-games

  Hi all

  I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

  I have difficulty getting permission to AAA to work properly with ACS.

  I am able to configure ACS fine users and assign them shell and private level 7.

  I then install a set of Shell Auth and enter the issuance of orders and configure.

  When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

  to access global configuration mode by typing in conf (or set up) terminal or t.

  If I type con? It is the only command connect, configure is never an option...

  The only way I can get this to work is by entering the command:

  privilege exec level 7 Configure terminal

  I thought the whole purpose of the ACS Shell Set to provide this information to the router?

  It's frustrating

  The ACS server is set up with the Shell Set named Level_7 order authorization

  It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

  The "unmatched Args allowed" is also selected.

  See an extract of my IOS config below:

  AAA new-model

  !

  !

  AAA group Ganymede Server + ACS

  Server 10.90.0.11

  !

  AAA authentication login default group local ACS

  AAA authorization exec default group ACS

  AAA authorization commands 7 by default local ACS group

  !

  Cisco radius-server host 10.90.0.11 keys

  !

  !

  privilege exec level 7 Configure terminal

  privilege exec level 7 set up

  privilege exec level 7 show running-config

  privileges exec level 7 show

  !

  Hope you can help me with this one...

  PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!

  Hello

  So now,

  You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

  Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

  That's what I suggest that orders back to a normal level.

  Provided below are the steps to set up the shell command authorization:

  -------------------------------------------

  Follow these steps on the router:

  -------------------------------------------

  ! - is the desired username

  ! - is the password

  ! create - us a local user name and password

  ! - in case we are not able to get authenticated via

  ! - our Ganymede server +. To provide a backdoor.

  password username 15 privilege

  ! - To apply the aaa on the router model

  AAA new-model

  ! - Following command is to specify our ACS

  ! - location of the server, where is the

  ! - ip address of the ACS server. And

  ! - is the key which must be the same during the FAC and the router.

  radius-server host key

  ! - To get the authentication of users through ACS, when they try to log - in

  ! - If our router is unable to join the ACS, we will use

  ! - our local user name & the password that we created above. This

  ! - we prevent locking.

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization config-commands

  AAA authorization commands 0 default group Ganymede + local

  AAA authorization commands 1 default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  ! - Sequence of commands are for posting to the activity of the user.

  ! - When the user connects to the device.

  AAA accounting exec default start-stop Ganymede group.

  AAA accounting system default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  orders accounting AAA 1 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  --------------------

  ACS configuration

  --------------------

  [1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

  Provide any name at all.

  provide sufficient description (if necessary)

  (a) for full administrative access set.

  In the unmatched controls, select 'allow '.

  (b) for all access limited.

  In the unmatched controls, select "decline."

  And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

  For example: If we want the user to only have access to the following commads:

  opening of session

  Logout

  output

  Enable

  Disable

  Show

  Then, the configuration should be:

  -----------------------------------------------

  -Allowed unparalleled Args.

  -----------------------------------------------

  connection permit

  permit disconnection

  exit permits

  Select the permit

  disable the permit

  license terminal configuration

  ethernet interface license

  permits 0

  to see the running-config

  ------------------------------------------------

  in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

  [2] press 'submit '.

  [3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.

  (more...)

• Secondary ACS authenticates not to dynamic users

  Hi all

  I have two ACS server for windows with version 4.2. My problem is that, if the primary ACS server is down, dynamic users from the database windows in unable to authenticate with the ACS secondary. Please note that if a user is added to the ACS, this user can authenticate with the windows database. Only the dynamic mapping is not the case with the second ACS server.

  A quick response will be appreciated.

  What is in the database of Windows in both the points of the unknown user policy? Dynamic users are active under the unknown user policy?

  Are these servers ACS for Windows or the ACS SE with a Remote Agent installed on a member of the AD Server?

  If they are remote Agents, see the external database > Windows Configuration > selection of the Remote Agent. The same remote Agent is selected on both ACS servers?

  Please be aware that if you change the order of the RA he would remove all your group mappings.

• Secondary ACS server: waiting.

  Hi all.

  I had the following problem. There are 3 ACS servers: 1 primary school in Moscow, 2 secondary school in Moscow, 3 secondary school in Europe. Excellent relationships between servers in Moscow, between primary and secondary in Europe not good: automatic replication is not working properly. All changes made to the primary server does not automatically replicate on the server in Europe (ACS admins, devices). Manually 'Full replication' works very well. Have any ideas?

  Best regards. Next photo:

  

  Here is your answer replication ports:

  Replication on the Message Bus arrives on port TCP 61616. Full replication is on the DB Sybase TCP port 2638.

  Thank you

  Tarik

• secondary ACS 5.1 fails to cancel the registration, after IP change on primary

  IP address of primary education had to be modified, in response to a hardware failure of the RADIUS server with the intellectual property in several configs device.

  Now school is unresponsive to repeated requests "Cancel registration of the primary", even after reloading.

  apparently because he can't reach the primary to the old IP address.

  Asking to cancel the registration in the GUI generates pop-up that says: "this operation will remove this Instance ACS of the primary Instance.

  On this instance of the CSA management applications will be restarted and you will need to identify yourself again.  After you perform this operation

  Please wait five minutes for this restart complete.

  Do you want to continue? »      [OK]

  But checking back after 10 minutes - or even the next day - find status of secondary education unchanged.

  Also tried in Local Mode, cancel the registration of the primary;  This operation also fails.

  Does anyone have the URL HOWTO on a total reconstruction of the application of GBA?

  The two ACS are PCA-1121-K9 5.1.0.44.4 running.

  Thanks in advance for any help...

  UPDATE: *.

  Command, has recommended "application reset-config acs", has been _exactly_ what was needed.

  jrabinow - thanks a lot!    :-)

  also, thanks for mentioning that the licence would be required, so that I could locate in advance and have it ready.

  Since there is no local CERT on the server, we should not re - install those.

  Since it is a secondary antibody that it should not have too much in terms of specific configuration

  Therefore, one possibility is to reset the configuration, so once more, it becomes just a stand-alone node and then that to the deployment as it is for any new node and as you saved it until

  Reset configuration can be done using the following command in the CLI:

  rebate to zero-config CSA

  Note that after resetting the configuration you will need to reinstall the license so make sure that you have it handy

  So if you installed a certificate server to the secondary server, you have that too

• New image two servers (primary & secondary) ACS from v5.3 to v5.5?

  Hi, is it possible successfully recreate the image on two ACS servers to v5.3 v5.5, but also successfully restoring backups, licenses and local certificates of v5.3. The Log Collector current is set to primary. I read a lot of documentation that refers only to upgrade railways.

  Recommend making a new image or by using the upgrade method?

  The Upgrade method mentioned that I should spend my primary class in high school, re-point the server logs to the former primary school, etc, etc... Seems a lot of work when a recreate the image might be easier?

  If you could advise on the best possible route, it would be most appreciated... Thank you very much...

  The procedure you mentioned perfect id.

  Rate if useful :)

  Knowledge sharing makes you immortal.

  Kind regards

  Ed

• Doubt on the RA aaa using ACS 5.3 vpn user

  Hello

  I'm putting in place of the VPN on 8.4 ASA with 2 - VPNGp1 and VPNGp2. VPNGp1 groups users will access 1.2.3.0/24 and VPNGp2 users will have access to 5.6.7.0/24. User authentication will be done using RADIUS 5.3 ACS.

  On ASA, I configured pools VPN groups, ACL of VPN, IP, tunnel of groups and group for each group strategies.

  GBA, I created vpn-user1 and user2-vpn for each of the 2 groups.

  I don't know if some configurations more must be done on ASA and AC... Do I need to add new users - vpn-user1 and user2-vpn - on ASA, under each corresponding group policy, using the command political vpn-group?  Or I need to do something else on the ACS?

  Finally, how can I configure authorization and accounting for VPN users? I have to do this on GBA or ASA?

  Please advice.

  Thank you.

  Hello

  Authentication using radius aims to centralize user accounts and policies so that you will not have to configure these on the SAA. You must create a group of authentication servers that points to your ACS, then you will have to refer to this group of servers to your tunnel-group for user authentication queries will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign to your tunnel group configuration.

  The GBA, you will need to create a network client that is ASA, and the shared secret will be the same. You create an element of authorization policy network who have the permission settings, or you can choose allowed access, which allows authentication succeed without any special authorization.

  You can debug the sessoin using crypto vpnclient 255 debugging to view the authentication stream.

  Using SSL vpn (anyconnect) for these sessions?

  Thank you

  Tarik Admani

• ACS secondary server does not authenticate users through 3850 WLC

  HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline.  My configuration is:

  3850 WLC by using the code version 03.07.00E

  ACS Version 5.6 (primary/secondary)

  The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH).  List of the ACS_AUTH method is then applied to the SSID.

  A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access.  Communication IP/Radius is operational between WLC and two ACS servers.

  configuration of 3850 also attached for reference.

  Any help would be appreciated.

  Thank you

  Scott

  Please add the below listed orders and test again when you can.

  Server radius # deadtime $min$
  retransmission of radius-# 1 Server
  # Server radius-dead-criteria times 5 tent 1

  Configuring settings for all RADIUS servers

  HTH

  ~ Jousset

• ACS 4.2"secondary"

  Dear all,

  I have two servers and ACS 4.2, main one installed on each of them is well configured and all AAA clients authenticated successfully from it, also of database replication works very well between two servers, the question is when the primary one goes down the AAA clients not authenticated that secondary.

  Here is the configuration on all devices:

  AAA new-model
  !
  !
  AAA server Ganymede group + CISCO
  192.168.2.100 Server
  192.168.2.101 Server
  !
  Group AAA authentication login default local CISCO
  Group default CISCO AAA authorization authenticated by FIS
  !
  !
  5. host 192.168.2.100 GANYMEDE-server timeout key
  5. host 192.168.2.101 GANYMEDE-server timeout key
  !
  line vty 0 15

  by default the authentication of connection

  !

  Hi Hassan,.

  Since you're using the Ganymede group +, no need for the lines below.

  5. host 192.168.2.100 GANYMEDE-server timeout key
  5. host 192.168.2.101 GANYMEDE-server timeout key

  Another option to make sure that your secondary acs works fine, you can delete the primary acs from your definition of ACS group.

  HTH

  Kind regards

  Chris

• Number of certificate to ACS secondary

  Hello

  We distributed the deployment model ACS where primary ACS can do the role of configuration and secondary ACS made the oversight role.

  Our certtificate of root has been exceeded two days back and we have installed this kind of forgot to install on secondary ACS primary GBA.

  For this reason, our some wirless useers could not connect wireless with authentication with fail messages.

  So my question is, ACS primary and secondary are accepting the request of AAA and you answer that we use the deployment of didtributted model.

  Or can share any document from cisco that shows this?

  The WLC send the primary ACS server authentication and will only use the secondary image if there is no response from the primary. The WLC is not fail the primary unless the secondary does not respond or if you have active relief in which the WLC will check if the primary is in place.

  Sent by Cisco Support technique iPhone App

• Cannot save an ACS secondary for replication of ACS primary 5.2.

  Hello

  I hope someone can help me.  Currently, I have two devices Cisco ACS and both are classified in the PRIMARY.  The first ACS is running version 5.2.0.26 while the second ACS is running version 5.3.0.40.

  My original thought was to install the first ACS and do serve primary and have it replicate its data on the ACS SECONDARY.  Somehow, after installation, the ACS are now listed as PRIMARY.  When I go into secondary ACS under Deployment Options to try to save it in elementary school, I get the following error message:

  "This failure has occurred.  Failed to authenticate with node.  Your changes have not been saved. »

  Even if I try this GBA primary to save it for the secondary ACS, I get the same error message.  I tried all passwords including the credentials of the admin super user, my credentials for the administrator and the credentials provided to SSH in ' GBA and nothing is helping.

  Reading online, I read there was a way to remove an ACS secondary, but I don't have the ability to add this server in the primary for "bump it down" to a secondary antibody hoping to save it for the primary ACS.

  If anyone can give me some pointers, I would greatly appreciate.

  Thank you, and all have a wonderful day.

  THERE

  Yvonne,

  If the identifier is the same then definitely replication does not work, you will not be able to enroll in primary school if the license is the same. The good side is that you have the other license, you only need to install.

  However I have more bad news, the only way to re - install a license file in ACS 5.x uses the CLI command 'acs reset-config', but it will also delete all of the configuration that you have on this server, except the network configuration (IP, gateway, DNS, etc.)

  After entering this command if you are trying to access the GUI, you should not use the name of user and password acsadmin/default, then you will be asked to locate the license file.

  Here is a document with this information where you need it:

  http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html#wp1052906

• Excluding the lines of Terminal Server in the AAA authentication

  Hi all

  Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

  I've included the output below:

  AAA authentication login default group Ganymede + local
  AAA authorization exec default group Ganymede + local
  AAA accounting exec default start-stop Ganymede group.
  AAA accounting network default start-stop Ganymede group.
  AAA accounting default connection group power Ganymede
  AAA accounting system default start-stop Ganymede group.
  AAA - the id of the joint session

  line 41
  session-timeout 20
  decoder location - XXXXXX XXXXXX BT
  No banner motd
  No exec-banner
  absolute-timeout 240
  Modem InOut
  No exec
  transport of entry all
  StopBits 1
  Speed 38400

  Is it a question of disabling the command line or using a defined group?

  Thanks a lot for your help.

  Jim.

  Hi Jim

  You may need to create another group for authentication to the and send your AAA configuration

  line to 0

  connection of authentication aux_auth

  AAA authentication login aux_auth line

  You can also configure a username local/pw and map it on the group to here...

  Console and telnet would still use the configured default group, or you can specify specific groups:

  Line con 0

  console login authentication

  line 4 vty0

  vty authentication login

  and specify the aaa authentication settings individually...

  I hope this helps... all the best

  REDA

• Internal DB ACS4.2 replication - do not replicate the AAA clients

  I'm trying to set up a new server ACS4.2. ACS is installed, a partner of replication configured, etc. Master and slave new run every two ACS4.2 (0) Build 124. (Master shows 'Patch 12', slave shows any patch info)

  Replication on the new ACS server settings are identical to those on my current secondary ACS server that receives data replicated correctly.

  Problem: I have reproduce manually master ACS server on the new ACS server. Logs on both servers show a successful replication. Users, groups of users, network device groups (NDG) all reproduce them correctly. However, there are zero features in each of the NDG.

  Master is set to send, new slave set to receive:

  User and group database

  Network device Configuration tables

  WBS

  Configuration of the interface

  Interface security settings

  Password validation settings

  I also tried to reproduce the network access profiles instead of peripheral Network Configuration tables. Still no customer AAA in the NDG.

  I need my replicated AAA clients.  Should I be reproducing different or additional components? Am I missing some settings elsewhere in ACS?

  Hello

  Please apply patch 12 on slave ACS as well.

  Try the replication and let me know the results.

  Also on the Configuration of the network see the name NDG? or just no customer AAA under each NDG.

  Kind regards

  Anisha