Consolidation/merger 4.2 ACS servers
Hi, we have 2 servers ACS each handling of different sets of hundreds of devices. I need to merge 2 databases (users, groups, and devices) in a third 4.2 ACS server.
My thoughts are to make a backup of one and do a restore on the new server. Now, I need to find a way to import users, groups, and devices of the second ACS server in the new consolidated CAs. I searched and I have not found a way to import users, groups, and devices without removing the devices that have been added since the first ACS sever. Does anyone have recommendations?
Try this. On each ACS server, run CSSupport (or support in ACS Admin page) to generate a cab package.
If you open the booth there will be two files CSV - one for NDG and one for devices.
Using excel you can merge these two CSVs. To find data ACS, you will need to create an account actions CSV file and deal with RDBMS synchronization.
Action code 250 adds a NDG
220 action code add one unit of
Action code 252 assigns the device in NDG
This may seem like a chore, but its largely a cut and paste exercise.
If you regularly use RDBMS sync to add your devices this means that you will always have a file of shares of update that you can throw to another server if you wish.
Lots of information about sync of RDBMS to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_RDBMS.html
The easiest way is to download the SQL Anywhere Developer tools and ask for Cisco on the loading tables ndg and device directly from CSV files. It can be done, but I doubt they'll give you the password in its database.
Tags: Cisco Security
Similar Questions
-
Configuration/ACS database consolidation
Hello
I have two ACS servers.
One is the 2.4 version and the other is the 3.0.2 version.
My wish is to install a third ACS 4.0 server which will replace the other two.
I had planned the following steps:
1 - upgrade versions 2.4 (srv1) and 3.0.2 (srv2) for 3.0.4.
2 - export using tool CSUtil configuration of these two servers data;
3. manually consolidate all data;
4. install the new server with the version 3.0.4.
5 - import using CSUtil data consolidated on the new server.
6 - update the new server after version 4.0 recommended upgrade path.
All comments on these steps?
Y at - it no special mechanism/tool to consolidate the configuration from two separate servers for GBA?
Thanks in advance.
Kind regards
Ricardo
Ricardo,
We cannot export devices with csutil. What we can do is to search for devices on GUI and download a CSV of the search result.
DBSync does not database between ACS servers synchronize. DBSync uses a csv file to add devices/users in bulk. So if we create a CSV of users and devices we can import in ACS. More info about dbsync to: -.
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp756877
Kind regards
Vivek
-
Hi, is it possible successfully recreate the image on two ACS servers to v5.3 v5.5, but also successfully restoring backups, licenses and local certificates of v5.3. The Log Collector current is set to primary. I read a lot of documentation that refers only to upgrade railways.
Recommend making a new image or by using the upgrade method?
The Upgrade method mentioned that I should spend my primary class in high school, re-point the server logs to the former primary school, etc, etc... Seems a lot of work when a recreate the image might be easier?
If you could advise on the best possible route, it would be most appreciated... Thank you very much...
The procedure you mentioned perfect id.
Rate if useful :)
Knowledge sharing makes you immortal.
Kind regards
Ed
-
ACS 5.6.0.22.3 to 5.7.0.15.1 Server upgrade
Hi all
Can I upgrade my 5.6.0.22.3 to 5.7.0.15.1 ACS servers without applying the 5.6.0.22.4 patch?
Thank you.
Hey Pratik,
It is always advisable to upgrade to the latest patch before moving on to the next version.
Therefore, it would be advisable to install the patch 4 and then go to 5.7.
Kind regards
Aditya
Please evaluate the useful messages.
-
ACS RADIUS lost: 11051 RADIUS packet contains invalid state attribute
Hi all
We lack a very strange problem since a few days now. Our v5.2.0.26 ACS began to drop the connection of wired connections and wireless, with a message "RADIUS request to drop". The detailed message is: "ask RAY dropped: 11051 RADIUS packet contains invalid state attribute.
This message is usually preceded by a ' RADIUS request dropped: 24444 Active Directory operation failed because of an error that is not specified in the ACS ' error.
Communication with Active Directory seems to be ok, since workstations receive a valid ip address when it is connected to a non 802. 1 x switch (Cisco 4506) port.
Any help grealty appreciated,
Best regards and happy new year to all members,
Laurent
Hello Lawrence,.
Please check the connectivity status of AD between the ACS and advertising on all of your ACS (secondary instances as appropriate) servers.
Users and identity stores > external identity stores > Active Directory
The connectivity status shows CONNECTED or DISCONNECTED on any of your ACS servers? If one of the servers is showing as DISCONNECTED, what could be the root cause of the problem.
Hope that does you in the right direction.
Kind regards.
-
ACS server installation issues
I have a client of the remote site that is replacing their ACS servers and several questions:
(1) what version we should be installed?
(2) where we can get a clean binary installer (or do you start with 3.x or 4.0 & upgrade-if upgrade, use us the latest hotfix installer, or do we apply successive patches?)
(3) replication between versions? Current servers have version 4.1 (1) build 23 Patch 5-do these need to be upgraded to the current version, or can move us later & replicate current?
(4) is it possible to use different DNS (ex rtpacs.corpnet2.com) name for the site of 'real' server name (e.g. us2sawn00232.us1auth.xxxx.com)?
(5) how to use GSK signed cert? Have previously tried & failed - something special here?
Thanks for any help you can give.
RO
I have a remote site customer that is in the process of replacing their ACS servers,and have several questions:
1) What version should we be installing?
2) Where can we get a clean binary installer (or do we have to start with 3.x or 4.0 & upgrade-if upgrade, can we use latest patch installer, or do we have to apply successive patches?)
3) Cross-version replication? Current servers have Release 4.1(1) Build 23 Patch 5-do these need to be upgraded to current version, or can we install latest & replicate from current?
4) Is it possible to use different DNS name (ex rtpacs.corpnet2.com) for website than server's 'real' name (ex. us2sawn00232.us1auth.xxxx.com)?
5) How to use GSK-signed cert? Have tried previously & failed-anything special here?
Thanks for any help you can give.
RO
Hi Richard,
For your queries for replication ACS should be the same version, only then you can replicate between the ACS patner, if you have the same version, so your first and third query got the answer.
For your fourth query, you can use the DNS server to host your web servers as when the user access the traffic of your web site will land in your DNS server where it will redirect to the origin server so that the DNS server should be authority server for your Web site.
For a binary installation clear I would say check out this link http://openacs.org/forums/message-view?message_id=1245671 I hope this helps.
So useful note valauable post.
Concerning
Ganesh.H
-
ACS database does not not after having changed the secondary ip of acs.
Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.
When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.
Any idea what can be the problem?
Consider these elements when you implement the database replication feature Cisco Secure:
(1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.
(2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.
(3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.
(4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.
(5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.
(7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.
(8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.
-
ACS secondary server does not authenticate users through 3850 WLC
HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline. My configuration is:
3850 WLC by using the code version 03.07.00E
ACS Version 5.6 (primary/secondary)
The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH). List of the ACS_AUTH method is then applied to the SSID.
A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access. Communication IP/Radius is operational between WLC and two ACS servers.
configuration of 3850 also attached for reference.
Any help would be appreciated.
Thank you
Scott
Please add the below listed orders and test again when you can.
Server radius # deadtime $min$
retransmission of radius-# 1 Server
# Server radius-dead-criteria times 5 tent 1Configuring settings for all RADIUS servers
HTH
~ Jousset
-
Hi all
I need to set up a new CAs as ACS secondary
(1) that we have therefore need to configure the new ip address of the ACS server on all switches?
(2) if the primary acs is disconnected so how high will work as primary?
Thank you & best regards
Hi Adam,.
(1) Yes, you must configure the IP address of all RADIUS servers on your switches so that they can be authenticated by the servers of Ganymede according to group aaa of the device to the network. The two ACS servers in a cluster do not share a virtual IP address.
(2) if the primary ACS is disconnected then it will not work as a primary school. What concerns the rest of the ACS primary school which sank. You will not be able to make most of the changes without return to the deployment options and return to Local Mode or promote on primary.
Local mode means that your data will be removed an existing cluster. Switch to the main ways that the primary and secondary servers reverse roles. What you would do in general during a break is to work in Local Mode and when the primary is restored, it could save the secondary back to the primary to be synchronized with the primary.
If you want to save changes to the secondary image (Server B) that have been performed then the primaries have declined (Server A), you must turn primary with Promote to primary B, add as secondary and after the sync switch roles between them by promoting A main.
-
Can I use groups of network devices ACS to have one device acting as authenticator ACS two Windows domains to 802. 1 x for a single switch?
Hope the question makes sense but to put it a little more meat on the issue:
I have a single ACS device that I try to use for authentication of 802. 1 x on a switch. The problem is that I want to have the part of allocation of VLAN implementation allocated through the ACS server on the control dependant users with an account domain, but we have two domains without trust between them. the remote agent in ACS to should not be installed on servers in different domains and that two agents available are for resiliance only, so does not fit this unfortunatley.
That's why I finished watching with several groups of devices.
someone at - it ideas if this will work or if there is another way to make this work.
Hello
ACS cannot authenticate 'natively' in 2 different domains that do not have a defined relationship. If this is not possible, then you must make 2 ACS servers, one in each area. Configure the ACS 'primary' to the 'secondary' server proxy queries based on the provided field.
This would require a second server ACS be set upwards (you will probably pay an additional fee for the second ACS server). You do not want to configure a proxy distribution table. This would require the user explicitly indicate the domain name with their user name.
Kind regards
~ JG
Please evaluate the useful messages
-
Offering personalized with GANYMEDE + (ACS 5.4) - NX - OS RBAC limited access
Hello
I created the RBAC personalized depending on NX - OS.
Role: Limited_Admin
11 denies config t command. mgmt interface 0
10 permit command read
9 permit config t command. interface *; *
8 allow the copy running-config startup-config command
7 permits ping command *.
6 allow the traceroute command *.
I created a profile Shell with the following attributes that place the user in the role of Limited_Admin and that mapped to the rule of authorization policy.
Cicso-av-pair attribute
Mandatory requirement
Shell: roles of value = "Limited_Admin".
When I connect with the Test account - I get mapped to the custom role as shown below but I have priv 15.
user: testrbac
roles: Limited_Admin
account created through the REMOTE authentication
Credentials such as ssh server key will be cached only temporarily for this user account
Local login is not possible
Any help is greatly appreciated. I had this working perfectly on the 4.2. but unable to make the rules work at 5.4.
Configuration of the AAA Nexus:
radius-server key *.
source-interface IP Ganymede mgmt0
RADIUS-server host x.x.x.x
AAA group Ganymede Server + ACS SERVERS
Server x.x.x.x
the vrf use management
AAA group Ganymede Server + ACS SERVERS
AAA authentication login default group ACS-SERVERS
AAA authentication local console connection
Default accounting AAA group ACS-SERVERS
AAA authentication login error-enable
I saw it and that's what I wanted to see and use it as a syntax/format on nx under role
ike this
Role: Limited_Admin
11 deny command configure terminal ; interface mgmt0
However I think you tried and confirmed that it didn't ' work so I started to think it might be a bug in the Os. Glad it works for you.
Jousset
* Note help messages *.Sent by Cisco Support technique Android app
-
Secure ACS 5.7 - adding a secondary server to the primary
Hello.
I recently set up two servers Secure ACS 5.7 primary. I want to make one of the main servers a secondary server. When I try to register at the elementary level, I get the following message:
This failure has occurred: save failed due to invalid certificate. Your changes have not been saved.
Both servers have valid certificates. But other that to extend the validity of the cert, no other changes have been made.
Any ideas please?
Thank you
Daniel
Hello Daniel,.
For the communication of trust option work. It is necessary to use certificates signed by one or the other it external or internal, and add to it, you must import the transmitter respective root/intermediate cases under "users and storage of identity > section"Certificate authorities"on both ACS servers.»
Alternatively, you can choose not not to use the feature "Trust communication" by going in "System Administration > Configuration > global system Options > Trust Communication Settings." and uncheck the check box for the feature.
Note: Please mark responded as appropriate.
Note
Note
-
Secondary ACS authenticates not to dynamic users
Hi all
I have two ACS server for windows with version 4.2. My problem is that, if the primary ACS server is down, dynamic users from the database windows in unable to authenticate with the ACS secondary. Please note that if a user is added to the ACS, this user can authenticate with the windows database. Only the dynamic mapping is not the case with the second ACS server.
A quick response will be appreciated.
What is in the database of Windows in both the points of the unknown user policy? Dynamic users are active under the unknown user policy?
Are these servers ACS for Windows or the ACS SE with a Remote Agent installed on a member of the AD Server?
If they are remote Agents, see the external database > Windows Configuration > selection of the Remote Agent. The same remote Agent is selected on both ACS servers?
Please be aware that if you change the order of the RA he would remove all your group mappings.
-
ACS 3.2 (2) Build 5 replication problem
Hi all
There are two ACS servers, sits inside an ASA 5510 at Headquarters and the other is inside an ASA 5510 on the hot site.
These 5510 s ASA have been developed to replace two 515Es PIX and the claim is that since the ASAs went replication has stopped working. Of course, it makes no sense to me because there is communication between the ACS server and the firewall is down not anything whenever "replicate now" is issued.
Unfortunately, I dunno much about ACS then is there something I can look for to help troubelshoot it ACS newspapers say
WARNING cannot replicate to '4' Server - server does not
That doesn't help us much, this is a way to get more detailed info journal which could indicate a problem? Thank you.
Hello
ACS uses the port TCP/2000 for replication. This port is also used by the skinny Protocol, making the port used by the ACS replication process.
Fails replication of the ACS from the primary to the secondary, primary school reported that he cannot contact the secondary, and secondary shows any replication of the primary activity.
A firewall between the two servers, ACS is configured to inspect the skinny Protocol, which uses the same port (TCP/2000) that the ACS replication process.
If you do not have a call manager behind your firewall, please disable
Skinny inspect if it is enabled.
#Under overall policy, take the skinny inspection out of the inspection_default #class.
don't inspect skinny
You need to do this on both sides.
HTH
JK
Please evaluate the useful messages-
-
Synchronization of databases ACS!
Hi all. I have 2 windows machines running acs 4.1. I install just the second machine in a new region. I want to know what will I do on all 150 routers, I added? is it possible to some how synchronize two acs servers such that when one goes down, another will be contacted. I have to re-enter all the data or y at - it an automatic way such that when I make a change on the main sound server automatically replicated to the other acs?
Hi Rox,
The ACS replication is one-way replication (from elementary to high school). If you need to appear the second acs and configure it for replication. After replication, it will be all the configuration according to the primary acs.
Please make sure that the replication is configured correctly. (Checklist)
(1) make sure you not replicate on NAT. NAT replication does not work because the IP address is used for server authentication.
(2) then make sure that you are not sending or receiving the distribution table. On the principal server, the distribution table should not be checked in the mailing list, and on the secondary table of distribution should not be checked at the reception.
(3) then I would like you to check in the list of partners for the secondary server to ensure that the primary is not listed. You should not enter the primary server in the list of partners on the secondary server. However, the primary server must have all secondary servers in its list of partners.
(4) make sure that the secondary server has replication scheduling set to "manual".
(5) Please check that your servers all run exactly the same version of ACS and compilation.
(6) also I would like to know if we have any firewall between two acs servers.
Please see this link for the replication schedule option,
Kind regards
~ JG
Note useful message
Maybe you are looking for
-
The Firefox toolbar is rather small and sometimes hard to read depending on the circumstances. I would like to expand the toolbar and text to double its current size. How then?
-
Problems after installing an application on two phones with a shared I have cloud account. One phone receives calls. Remove the application on the phone in question but continued to receive calls. should I individual iCloud account to resolve this pr
-
My computer is a desktop Pavilion D7-1587cb PC (product #: H2L77AA #ABA) Trying to do a complete system on a windows restore 8, using the set of recovery disks. When you try to change the boot sequence in the Bios boot menu, have thgree choice: Windo
-
Error code: 80070424 when you try to use Microsoft Update
I get an error code 80070424 when you try to use microsoft update, and I can't use the fix it Center, or what I can do... It's on windows xp
-
BBM how to retrieve BBM cats after having been removed from the Application Manager
Hello! I was minimizing my memory of the Application Manager. And I hit 'clear data' when I get to the BBM application handler. After that, my cat had disappeared. and how to find these cat? because there is some important message. Please help me som