ACS redundancy configuration
Hi all
I need to set up a new CAs as ACS secondary
(1) that we have therefore need to configure the new ip address of the ACS server on all switches?
(2) if the primary acs is disconnected so how high will work as primary?
Thank you & best regards
Hi Adam,.
(1) Yes, you must configure the IP address of all RADIUS servers on your switches so that they can be authenticated by the servers of Ganymede according to group aaa of the device to the network. The two ACS servers in a cluster do not share a virtual IP address.
(2) if the primary ACS is disconnected then it will not work as a primary school. What concerns the rest of the ACS primary school which sank. You will not be able to make most of the changes without return to the deployment options and return to Local Mode or promote on primary.
Local mode means that your data will be removed an existing cluster. Switch to the main ways that the primary and secondary servers reverse roles. What you would do in general during a break is to work in Local Mode and when the primary is restored, it could save the secondary back to the primary to be synchronized with the primary.
If you want to save changes to the secondary image (Server B) that have been performed then the primaries have declined (Server A), you must turn primary with Promote to primary B, add as secondary and after the sync switch roles between them by promoting A main.
Tags: Cisco Security
Similar Questions
-
Hello
How can I list the configuration applied to all users and group on ACS (in a single file)? There are about 300 users.
Basically, I need information on the maximum sessions per user (may be on a .txt or .csv file).
I think that this information is available on the files generated by the backup. But I don't know if it is readable.
Thank you
Marcelo
As such, there is no GBA tools with which you can get this information from the report.
But you can contact Extraxi (www.extraxi.com) and see if they can help you with what you are trying to reach.
-
Changeover CUE in a redundant configuration CME 4.0 scenario
Hello
can describe someone, please, what happens to CUE vm in the case of a failover to a redundant router of the CME. I suppose that Router 2 must have identical boxes VM created and all new than VMs will be stored on the Router 2 until the 1st router comes back online.
Thanks in advance!
There is no standard configuration allowing cue failover by TAC.
a big problem is that the two CUE voice mailboxes cannot be synchronized.
Although you may well have a CUE system configured with duplicated information, a manual failover would be necessary.
CUE failover is not supported by cisco at this moment by TAC.
-
Connection 12:00 ACS DNS configuration does not resolve the address
Hello
I'm trying to configure the ACS with AD in the identity store but spin the question.
I enter the AD domain name and the user name and the password and click on the button "Test connection" and receive a DNS error indicating that he "cannot resolve network address.
I connected to the CLI and test from there domain name and it works very well.
I am confused any help would be grateful.
Thank you.
Hi André,.
In the configuration of Active Directory, make sure that you have entered the full domain name. With this access to the ACS through SSH connection and make sure the time zone and the time the GBA and the AD is the same thing and make sure that the ntp server are configured on the CLI of ACS.
Here are the steps to do:
Step 1: Set the time on the ACS corresponding to AD. Type the command "clock {game} [month day hh:min:ss yyyy]."
Step 2: Configure the time zone. Type the command in the configuration mode ' clock timezone (timezone).
Step 3: Configure the ntp server. Type "ntp server (address IP/hostname).
Kind regards
Kush
-
When the user authenticates in ACS v3.3, a profile is created and stored under the User Configuration. When employees leave the company, to delete this profile. We use the external database which is Active Directory.
Questions
(1) if the Active Directory account is disabled, the user will be able to connect because the identification information is recorded in the ACS?
(2) is there a way to expire these credentials as in 24 or 48 hours?
In ACS3.3, you can expire the account also if the account is disabled and that the user put in cache in ACS points to the database of windows for authentication, in that it should not allow the user.
Here is where you can set how long the account is active for:
Thank you
Tarik
-
Redundant configuration of Remote Manager
Hi all
I'm looking for a way to configure the IOM for use several managers of distance for the same IT resource. If two identical distance managers on two different machine having the same scripts and configuration.
Can't find the right configuration option.You must create a load balanced for your Manager remote address and use it in your Manager remote it resources.
-Kevin
-
Can ACS 5 device - I use EtherChannel or standby Interfaces?
Hello
I think that the answer is no, but if I want to make my camera ACS (not the VM version) more resilant, can I use more than one NETWORK adapter to connect to a switch stack?
See you soon!
Paul
Paul,
I wish was supported, but the answer is no, the ACS does not support redundant configurations or a network card waiting for this type of event. You should file an enhancement request to feature with your account representative to see if this may be released in future versions.
Thank you
Tarik Admani
* Please note the useful messages *. -
I am puaaed on the shell and enable and configuration of consequence on the client.
(1) if I check the shell under the Group of users of ACS, I configured
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
(2) if I check also enable on ACS and configure aaa authentication Ganymede enable default local group
Can I just use one of the two options or use them together?
Thank you!
You can use them together:
1 aaa authentication Ganymede activate by default local group--> use Ganymede +, so Ganymede + a failed/inaccessible, local use userID/pwd
You can use this only, but if you do not set permission, make sure your user in GANYMEDE ID + a priv 15. PIX accepts either priv 15 or 2 only (priv 2 is the default if you create a Userid in PIX without specifying a private level).
But it is better to use GANYMEDE + learn more / centralized control.
2 aaa authorization exec default group Ganymede + local--> use Ganymede + to allow what / cmd to run, use local if Ganymede + failed
AAA authorization commands 15 default group Ganymede + local--> use Ganymede + to allow for user cmd priv level 15 can run and refer to local authorization if Ganymede + has failed/inaccessible.
You can combine this with #1.
HTH
AK
-
Hi all
We use CiscoSecure ACS 4.2 for AAA.
In our ASA 8.2.5 ASDM 7.3 (1) 101, if connect us with user group privilege 5, we would be unable to see the dashboard of firewall for Top 10 Services / Sources / Destinations.
Someone knows how to have the privilege of established, essentially the Group of users that we have only in read-only, but can see the Top 10 services/sources/destinations edge ASDM
Thank you very much
Hi David,
Yes you are right with privilege 5 you would be able to make these changes.
You can use one of two methods of authorization in order to work around this limitation:
Local database: configure command on the security privilege levels
device. When a local user authenticates with the enable command (or logs
with the command login), the security apparatus put this user in the
level of privilege that is defined in the local database. The user can then
access controls at and below the user privilege level.Note You can use the authorization of local control without all the users in local
without CLI and database or enable authentication. Instead, when you enter
enable command, you enter the enable password and security
device puts you in level 15. You can then create enable passwords for
all levels, so that when you enter enable n (2 to 15), security
device puts you in the level n. These levels is not used, unless you put
local command authorization (see "setting up order Local
Authorization ".
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/gu...GANYMEDE + server: GANYMEDE Server + (ACS), to configure the controls that can be used by a user or a group after they authenticate to access CLI. All the commands that a user enters in the CLI are verified with the GANYMEDE server +:
http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...
It will be useful.
Kind regards
Aditya
Please evaluate the useful messages.
-
Redundant replication AIP SSM - 20 Config?
I have two ASA in a redundant configuration. Each of them has a PURPOSE SSM-20 in. If I make changes to the SSM-20 'live' is there a way to write the config more than the ASA which is in standby mode?
SSM-20 before need to have its own unique IP address or can she share address of the SSM "primary"?
NO.. configs are not replicated for SSM... CSCsb61072 has been filed for this
SSM-20 secondary cannot share primary IP address or vice versa
-
Problem connecting GANYMEDE on ACS 4.0
I have configured the ACS area with a correct customer LAN infrastructure including client ip addresses to devices, a key, then assign authentication via GANYMEDE. I configured a test user in the local ACS internal database. Next, I set up a switch with the IP address of the ACS and the correct key. When I then try to connect to the switch he fails, and the following is recorded in the log of failed attempts of ACS:
2007-08-29 11:39:22 authentic failed... Default group... (Default) Incompatibility of keys...... .. x.x.x.x.. .. .. .. .. Switches LAN LAN-Infrastructure
I have triple checked that the keys are correct and yet fail reason is incompatibility of keys. I don't know if I have something bad in config or if there is a bug.
Cisco switch configuration:
AAA new-model
connection of AAA 5 authentication attempts
AAA authentication login default group Ganymede + local
AAA authentication local console connection
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
AAA authorization commands 15 no_tacacs no
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
RADIUS-server host x.x.x.x
done - no radius-server request
RADIUS-server key xxx
Server RADIUS ports source-1645-1646
Version of the ACS:
CiscoSecure ACS
Release 4.0 Build (1) 44
What could be worng
Please check,
ACS network configuration---> NDG (where you have this switch)--->---> Change---> Remove key properties.
NDG key replaces the key aaa client.
Concerning
~ JG
-
ACS 5.6.0.22 GANYMEDE authentication issue
According to this scenario: Active Directory server does not or is not available.
ACS is configured with both AD and Local users. When the ad is online, I can use a Local account for the RADIUS authentication or AD account. When the ad is unavailable I get error: 24444 Active Directory operation failed because of an error that is not specified in ACS, trying to use the Local account. (Of course I expect is not able to use an AD account)
Is this as expected? or is there an error in the configuration at hand?
Hi Richard,
Announcement is offline, in the case you should still be able to use your account if you select the option to 'Continue to next identity store in the sequence', on the 'advanced options' on the 'sequence to store identity' that you created:
Section "users and identity stores > identity store sequences > Edit:
Advanced optionsIf the current identity store access does notBreak sequence* Continue to next in the sequence identity storeNote: Please mark as answer as appropriate
-
How have use ACS supported wireless users and the VPN user?
I'm new to ACS and configure the following requirement:
(1) ACS to authenticate users wireless with window AD.
(2) once connected successfully to the radio, the user must use VPN for remote access with the ASA.
(3) the end-user will have only 1 common username but different password.
for example:
username: password: cisco: cisco wireless.
username: cisco password: 1234 for VPN.
ACS support can this, if yes how can we do? Do I need 2 sets of ACS?
Yes, acs should work properly according to your need.
ACS, we have a feature called NAP "network access profile" where we can define the condition based on ip source or attributes which allow to say if the request comes from wireless device acs will forward to AD and if the request is of the acs VPN will forward to this diff of database.
Basically, we need to use two acs database.
Kind regards
~ JG
Note the useful messages
-
Hello
How can I get the references of syslog all ACS 5.6?
One of my clients actually have syslogs analysis by Splunk.
Kind regards
yjung
Have you already added the syslog under 5.6 ACS server > configuration journal > target remote journal. If yes proceed to logging categories > global > modify the journal you wish to receive logs on Splunk and move it inside the selected targets.
You can check the logs "show acs-logs acsLogForward.log filename | Finally 80 "in the case, you do not see what is happening.
-Jousset
-
Hello
I need to see what domain controllers which communicate with the ACS. I tried;
XXXACS02 / admin # acs troubleshooting adinfo - Server
This command is only for advanced troubleshooting and could suffer a lot of network trafficDo you want to continue? (yes/no) Yes
Server1.domain.noThe server1.domain.no is a server located in another place, so I don't think it's the primary server that is in talks with the ACS. Other commands that give out?
The location of the server wouldn't matter if we use ACS AD configurations and default AD. Unless something has changed, ACS uses DNS to resolve all the available domain controllers. You can use the following command to list all the domain controllers that ACS is the question:
acs troubleshoot adinfo --test
Then, you can use this command to see that an ACS is currently connected to:
admin# acs troubleshoot adinfo -a
This command will also give you the output of the "favorite Site". You can use this field in your AD environment to control that uses ACS domain controllers. For more information, see this link:
This link also contains a reference to a default (CSCte92062) Association which provides some associated ACS confgs that you can use to restrict who uses ACS domain controllers.
I hope this helps!
Thank you for evaluating useful messages!
Maybe you are looking for
-
Unable to send mail via exchange server with Version 38.0.1 - password problems
Last week, when my computer desktop auto-upgraded to 38.0.1, he lost the ability to send mail with SMTP. (It always returns an error message saying that the password is not recognized). I went around and with the administration of the server, and the
-
Slow startup after installing the SSD because gray screen
I just installed a Samsung Evo 500 GB SSD in my Macbook Pro 2010. I went to start and it starts very slowly due to a gray screen just sat there for about 30 seconds and then it shows the apple logo and it takes another 15 seconds to load. The gray sc
-
I just bought a 750-247c with Win10 desire. Not like that OS, I tried to remove it, couldn't, so I wiped the drive, including partitions, recovery, everything. I then formatted the specification of Win7, no partitions, a 2T HARD drive, I did HD0 and
-
Vista - Error Codes: D 8007041 & dt000 (could not install KB983589)
Hello I have Vista Ultimate 64 and am fully aware of the updates except for this one I've tried to install five times, including with my AV is turned off. The installation has failed and is reversed after reboot. How can I fix it. Thank you Daniel
-
I can't restart after repair reinstallation of Windows XP Home Edition SP3 Pro, or configuration.
My demension 8200 Dell, Windows XP Pro SP 3, was causing me problems, mainly because of my incorrect tweeking. I ran my XP Pro CD, in = repair reinstall mode who downloaded for 1 1/2 hours, then asked I enter the menu Setup F2 or F12 Boot device. I d