Consolidation/merger 4.2 ACS servers

Similar Questions

• Configuration/ACS database consolidation

  Hello

  I have two ACS servers.

  One is the 2.4 version and the other is the 3.0.2 version.

  My wish is to install a third ACS 4.0 server which will replace the other two.

  I had planned the following steps:

  1 - upgrade versions 2.4 (srv1) and 3.0.2 (srv2) for 3.0.4.

  2 - export using tool CSUtil configuration of these two servers data;

  3. manually consolidate all data;

  4. install the new server with the version 3.0.4.

  5 - import using CSUtil data consolidated on the new server.

  6 - update the new server after version 4.0 recommended upgrade path.

  All comments on these steps?

  Y at - it no special mechanism/tool to consolidate the configuration from two separate servers for GBA?

  Thanks in advance.

  Kind regards

  Ricardo

  Ricardo,

  We cannot export devices with csutil. What we can do is to search for devices on GUI and download a CSV of the search result.

  DBSync does not database between ACS servers synchronize. DBSync uses a csv file to add devices/users in bulk. So if we create a CSV of users and devices we can import in ACS. More info about dbsync to: -.

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp756877

  Kind regards

  Vivek

• New image two servers (primary & secondary) ACS from v5.3 to v5.5?

  Hi, is it possible successfully recreate the image on two ACS servers to v5.3 v5.5, but also successfully restoring backups, licenses and local certificates of v5.3. The Log Collector current is set to primary. I read a lot of documentation that refers only to upgrade railways.

  Recommend making a new image or by using the upgrade method?

  The Upgrade method mentioned that I should spend my primary class in high school, re-point the server logs to the former primary school, etc, etc... Seems a lot of work when a recreate the image might be easier?

  If you could advise on the best possible route, it would be most appreciated... Thank you very much...

  The procedure you mentioned perfect id.

  Rate if useful :)

  Knowledge sharing makes you immortal.

  Kind regards

  Ed

• ACS 5.6.0.22.3 to 5.7.0.15.1 Server upgrade

  Hi all

  Can I upgrade my 5.6.0.22.3 to 5.7.0.15.1 ACS servers without applying the 5.6.0.22.4 patch?

  Thank you.

  Hey Pratik,

  It is always advisable to upgrade to the latest patch before moving on to the next version.

  Therefore, it would be advisable to install the patch 4 and then go to 5.7.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• ACS RADIUS lost: 11051 RADIUS packet contains invalid state attribute

  Hi all

  We lack a very strange problem since a few days now. Our v5.2.0.26 ACS began to drop the connection of wired connections and wireless, with a message "RADIUS request to drop". The detailed message is: "ask RAY dropped: 11051 RADIUS packet contains invalid state attribute.

  This message is usually preceded by a ' RADIUS request dropped: 24444 Active Directory operation failed because of an error that is not specified in the ACS ' error.

  Communication with Active Directory seems to be ok, since workstations receive a valid ip address when it is connected to a non 802. 1 x switch (Cisco 4506) port.

  Any help grealty appreciated,

  Best regards and happy new year to all members,

  Laurent

  Hello Lawrence,.

  Please check the connectivity status of AD between the ACS and advertising on all of your ACS (secondary instances as appropriate) servers.

  Users and identity stores > external identity stores > Active Directory

  The connectivity status shows CONNECTED or DISCONNECTED on any of your ACS servers? If one of the servers is showing as DISCONNECTED, what could be the root cause of the problem.

  Hope that does you in the right direction.

  Kind regards.

• ACS server installation issues

  I have a client of the remote site that is replacing their ACS servers and several questions:

  (1) what version we should be installed?

  (2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)

  (3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?

  (4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?

  (5) how to use GSK signed cert? Have previously tried & failed - something special here?

  Thanks for any help you can give.

  RO

  
  I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
  1) What version should we be installing?
  2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have   to apply successive patches?)
  3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
  4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
  5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
  Thanks for any help you can give.
  RO
  

  Hi Richard,

  For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.

  For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.

  For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.

  So useful note valauable post.

  Concerning

  Ganesh.H

• ACS database does not not after having changed the secondary ip of acs.

  Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.

  When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.

  Any idea what can be the problem?

  Consider these elements when you implement the database replication feature Cisco Secure:

  (1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.

  (2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.

  (3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.

  (4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.

  (5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.

  (7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.

  (8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.

• ACS secondary server does not authenticate users through 3850 WLC

  HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline.  My configuration is:

  3850 WLC by using the code version 03.07.00E

  ACS Version 5.6 (primary/secondary)

  The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH).  List of the ACS_AUTH method is then applied to the SSID.

  A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access.  Communication IP/Radius is operational between WLC and two ACS servers.

  configuration of 3850 also attached for reference.

  Any help would be appreciated.

  Thank you

  Scott

  Please add the below listed orders and test again when you can.

  Server radius # deadtime $min$
  retransmission of radius-# 1 Server
  # Server radius-dead-criteria times 5 tent 1

  Configuring settings for all RADIUS servers

  HTH

  ~ Jousset

• ACS redundancy configuration

  Hi all

  I need to set up a new CAs as ACS secondary

  (1) that we have therefore need to configure the new ip address of the ACS server on all switches?

  (2) if the primary acs is disconnected so how high will work as primary?

  Thank you & best regards

  Hi Adam,.

  (1) Yes, you must configure the IP address of all RADIUS servers on your switches so that they can be authenticated by the servers of Ganymede according to group aaa of the device to the network. The two ACS servers in a cluster do not share a virtual IP address.

  (2) if the primary ACS is disconnected then it will not work as a primary school. What concerns the rest of the ACS primary school which sank. You will not be able to make most of the changes without return to the deployment options and return to Local Mode or promote on primary.

  Local mode means that your data will be removed an existing cluster. Switch to the main ways that the primary and secondary servers reverse roles. What you would do in general during a break is to work in Local Mode and when the primary is restored, it could save the secondary back to the primary to be synchronized with the primary.

  If you want to save changes to the secondary image (Server B) that have been performed then the primaries have declined (Server A), you must turn primary with Promote to primary B, add as secondary and after the sync switch roles between them by promoting A main.

• ACS SE - domains Windows AD

  Can I use groups of network devices ACS to have one device acting as authenticator ACS two Windows domains to 802. 1 x for a single switch?

  Hope the question makes sense but to put it a little more meat on the issue:

  I have a single ACS device that I try to use for authentication of 802. 1 x on a switch. The problem is that I want to have the part of allocation of VLAN implementation allocated through the ACS server on the control dependant users with an account domain, but we have two domains without trust between them. the remote agent in ACS to should not be installed on servers in different domains and that two agents available are for resiliance only, so does not fit this unfortunatley.

  That's why I finished watching with several groups of devices.

  someone at - it ideas if this will work or if there is another way to make this work.

  Hello

  ACS cannot authenticate 'natively' in 2 different domains that do not have a defined relationship. If this is not possible, then you must make 2 ACS servers, one in each area. Configure the ACS 'primary' to the 'secondary' server proxy queries based on the provided field.

  This would require a second server ACS be set upwards (you will probably pay an additional fee for the second ACS server). You do not want to configure a proxy distribution table. This would require the user explicitly indicate the domain name with their user name.

  Kind regards

  ~ JG

  Please evaluate the useful messages

• Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access

  Hello

  I created the RBAC personalized depending on NX - OS.

  Role: Limited_Admin

  11 denies config t command. mgmt interface 0

  10 permit command read

  9 permit config t command. interface *; *

  8 allow the copy running-config startup-config command

  7 permits ping command *.

  6 allow the traceroute command *.

  I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.

  Cicso-av-pair attribute

  Mandatory requirement

  Shell: roles of value = "Limited_Admin".

  When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.

  user: testrbac

  roles: Limited_Admin

  account created through the REMOTE authentication

  Credentials such as ssh server key will be cached only temporarily for this user account

  Local login is not possible

  Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.

  Configuration of the AAA Nexus:

  radius-server key *.

  source-interface IP Ganymede mgmt0

  RADIUS-server host x.x.x.x

  AAA group Ganymede Server + ACS SERVERS

  Server x.x.x.x

  the vrf use management

  AAA group Ganymede Server + ACS SERVERS

  AAA authentication login default group ACS-SERVERS

  AAA authentication local console connection

  Default accounting AAA group ACS-SERVERS

  AAA authentication login error-enable

  I saw it and that's what I wanted to see and use it as a syntax/format on nx under role

  ike this
  Role: Limited_Admin
  11      deny    command                         configure terminal ; interface mgmt0
  

  However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.

  Jousset
  * Note help messages *.

  Sent by Cisco Support technique Android app

• Secure ACS 5.7 - adding a secondary server to the primary

  Hello.

  I recently set up two servers Secure ACS 5.7 primary. I want to make one of the main servers a secondary server. When I try to register at the elementary level, I get the following message:

  This failure has occurred: save failed due to invalid certificate. Your changes have not been saved.

  Both servers have valid certificates. But other that to extend the validity of the cert, no other changes have been made.

  Any ideas please?

  Thank you

  Daniel

  Hello Daniel,.

  For the communication of trust option work. It is necessary to use certificates signed by one or the other it external or internal, and add to it, you must import the transmitter respective root/intermediate cases under "users and storage of identity > section"Certificate authorities"on both ACS servers.»

  Alternatively, you can choose not not to use the feature "Trust communication" by going in "System Administration > Configuration > global system Options > Trust Communication Settings." and uncheck the check box for the feature.

  Note: Please mark responded as appropriate.

  Note

  Note

• Secondary ACS authenticates not to dynamic users

  Hi all

  I have two ACS server for windows with version 4.2. My problem is that, if the primary ACS server is down, dynamic users from the database windows in unable to authenticate with the ACS secondary. Please note that if a user is added to the ACS, this user can authenticate with the windows database. Only the dynamic mapping is not the case with the second ACS server.

  A quick response will be appreciated.

  What is in the database of Windows in both the points of the unknown user policy? Dynamic users are active under the unknown user policy?

  Are these servers ACS for Windows or the ACS SE with a Remote Agent installed on a member of the AD Server?

  If they are remote Agents, see the external database > Windows Configuration > selection of the Remote Agent. The same remote Agent is selected on both ACS servers?

  Please be aware that if you change the order of the RA he would remove all your group mappings.

• ACS 3.2 (2) Build 5 replication problem

  Hi all

  There are two ACS servers, sits inside an ASA 5510 at Headquarters and the other is inside an ASA 5510 on the hot site.

  These 5510 s ASA have been developed to replace two 515Es PIX and the claim is that since the ASAs went replication has stopped working. Of course, it makes no sense to me because there is communication between the ACS server and the firewall is down not anything whenever "replicate now" is issued.

  Unfortunately, I dunno much about ACS then is there something I can look for to help troubelshoot it ACS newspapers say

  WARNING cannot replicate to '4' Server - server does not

  That doesn't help us much, this is a way to get more detailed info journal which could indicate a problem? Thank you.

  Hello

  ACS uses the port TCP/2000 for replication. This port is also used by the skinny Protocol, making the port used by the ACS replication process.

  Fails replication of the ACS from the primary to the secondary, primary school reported that he cannot contact the secondary, and secondary shows any replication of the primary activity.

  A firewall between the two servers, ACS is configured to inspect the skinny Protocol, which uses the same port (TCP/2000) that the ACS replication process.

  If you do not have a call manager behind your firewall, please disable

  Skinny inspect if it is enabled.

  #Under overall policy, take the skinny inspection out of the inspection_default #class.

  don't inspect skinny

  You need to do this on both sides.

  HTH

  JK

  Please evaluate the useful messages-

• Synchronization of databases ACS!

  Hi all. I have 2 windows machines running acs 4.1. I install just the second machine in a new region. I want to know what will I do on all 150 routers, I added? is it possible to some how synchronize two acs servers such that when one goes down, another will be contacted. I have to re-enter all the data or y at - it an automatic way such that when I make a change on the main sound server automatically replicated to the other acs?

  Hi Rox,

  The ACS replication is one-way replication (from elementary to high school). If you need to appear the second acs and configure it for replication. After replication, it will be all the configuration according to the primary acs.

  Please make sure that the replication is configured correctly. (Checklist)

  (1) make sure you not replicate on NAT. NAT replication does not work because the IP address is used for server authentication.

  (2) then make sure that you are not sending or receiving the distribution table. On the principal server, the distribution table should not be checked in the mailing list, and on the secondary table of distribution should not be checked at the reception.

  (3) then I would like you to check in the list of partners for the secondary server to ensure that the primary is not listed. You should not enter the primary server in the list of partners on the secondary server. However, the primary server must have all secondary servers in its list of partners.

  (4) make sure that the secondary server has replication scheduling set to "manual".

  (5) Please check that your servers all run exactly the same version of ACS and compilation.

  (6) also I would like to know if we have any firewall between two acs servers.

  Please see this link for the replication schedule option,

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html#wp756696

  Kind regards

  ~ JG

  Note useful message