Redundancy of the ACS
Is it possible to run a second ACS as a redundancy? I found nothing about this in the documentation.
You might want to take a look at the replication options
The system configuration--> CiscoSecure Database Replication
This will allow the redundant server to keep in step with the master server.
It is also useful to examine the second server is not to simply provide redundancy but also a share of the burden.
Half peripheral pointing to Server A, defaulting back to Server B
Other THT half pointing devices on server B, fault back to a server
Tags: Cisco Security
Similar Questions
-
Ensure the redundancy of the ACS
Salvation;
What happens if my ACS only breaks down? ACS is active on my access switches.
What deployment scenario are we talking about here? For example, with 802.1 X deployments there a function (called inaccessible Authentication Bypass) that allows you to access a VLAN specific in the scenario where connectivity to the ACS server is compromised. Is that something can help you?
-
Is there a problem with accounting and 4.1 of the ACS
Good day to all,
I just installed a new server with ACS 4.1.
This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.
At this point, the only problem I have with ACS 4.1 is with the accounting.
For example:
I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.
Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.
There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.
Y at - there anyone out there who could do 4.1 ACS to process accounting properly?
Any idea will help you.
Thank you
Frank
Here is my config:
AAA new-model
AAA authentication login default group Ganymede + local
connection of AAA No.-AUTH authentication no
AAA authorization exec default group Ganymede + local
AAA authorization commands start-stop Group 1 Ganymede +.
AAA authorization commands start-stop group 15 Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
AAA accounting command 15 by default start-stop Ganymede group
!
192.168.100.16 host key radius-server *.
(the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)
RADIUS-server application made
Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
Don't forget to download the readme text also.
Rate me if it helps.
-
Greetings,
By opting for the ACS 3.2, all my settings and the securities will remain the same? If this isn't the case, I have a router connected to the server and I will get locked. I heard there is a specific order for the removal of the lines to avoid of locking me. Is this true?
Thank you
You will need to select the option "Yes, import the existing configuration", while improving the ACS software. Information on the upgrade of Cisco ACS software Preserving Configuration found in the documentation to
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/ACS32/win32sig.htm#9934
-
Download the ACS software... ?
I don't know about the 90-day trial; However, is there a way to download a full version for windows to the Cisco site. I am able to download the software so the isn't a problem. I don't see anywhere to download a full version and not only test 90 days?
TKS-
You must purchase the software to full version. It is only available on CD. When you buy the ACS software, it comes with a device (ACS1111). I do not see the neccessity or the advantage of Cisco made available for download on their website the version full of GBA.
-
We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.
Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.
-
I know I should have remember, but I do not have...
I have been using the ACS 90 day trial that expired before I bought a copy.
I lose everything and how to go on product licenses now that I bought?
Thank you
Andrew
Please mark it is resolved, so others can benefit from.
Kind regards
~ JG
-
AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.
Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.
WHA is missing here?
enable AAA authentication login VTY P1_ACS local group
Group default AAA authorization exec local P1_ACS authenticated by FIS
AAA authorization exec CONSOLE none
AAA exec by default start-stop accounting P1_ACS group
AAA commands 5 default start-stop accounting P1_ACS group
AAA commands 15 arrhythmic default accounting P1_ACS group
Accounting logs command is stroed in the newspapers of the administration of Ganymede.
There is also a known issue on ver 4.1.1 and we must
apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
CCIE Security
-
ICS error - "the service of the redundancy or the grope does not start.
These days I was facing this problem on ICS. Whenever I try to share my internet connection with wifi, it gives an error saying: "the service of the redundancy or the grope does not start" I have reset the connection, disable on surroundings & & restart the system as well, but not the changes even error every time. Is there someone can help on this desire to please much appreciated.
Hi kaliszewski,.
Welcome to the Microsoft Community and thanks for posting the question.
According to the description, it looks that you are facing with Internet connection sharing problems.
Please follow the steps mentioned below that can help us to solve the cause of the problem.
Method 1:
Maybe not all services that run the Internet (ICS) ICS are enabled. I suggest to start over and make sure that the underside of addiction services are activated.
1. click on Start, run, type services.msc and click OK.
2. to activate a service, find in the right pane and double click on its entry.
3. make sure that the Startup Type is set to Automatic , and then click OK.
All the following services must be so configured to use ICS:
Application Layer Gateway Service
Network connections
Knowledge of the network (NLA) locations
Plug-And-Play
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote procedure call (RPC)
TelephonyAfter checking and automatic startup for each of these services configuration, close the Services window and restart the computer before trying again to enable ICS.
Method 2:
To disable and then re-enable the Internet connection sharing on the Internet connection of the Windows 7 computer. If it asks you to select a private network connection, select the one that connects to the hub. Check the connections to the LAN on each computer:
- Press Windows Key + R.
- Type ncpa.cpl in the box and press enter.
- Right click on the connection to the local network, and then click status.
- Click on Details. It should show these values:
- IPv4 address: 192.168. *. *
- IPv4 subnet mask: 255.255. *. *
If the values are not good, Internet connection sharing is not configured correctly.
You can also consult the following link for troubleshooting Internet connection sharing problems:
http://Windows.Microsoft.com/en-us/Windows7/using-ICS-Internet-connection-sharing
Hope the above caliper problems
If you need further clarification or additional assistance, please let us know, we will contact you as soon as possible.
Thank you.
-
To access the AIP-SSM-10 through the ACS
Hye,
Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.
Thank you
IPS module does not support authentication to the ACS server.
Please find the only authentication method for IPS in the following document:
http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html
Hope that answers your question.
-
the ACS 5.1 and cisco ACE module
Hello
I would like to configure Ganymede + aaa Catalyst 6500 Cisco application control engine module. In the configuration guide for ACE it is advice that you need to configure additional parameters to be returned by the RADIUS server (shell:
= ...) ) for authorization of virtual context Cisco ACE. My question is: where exactly should I put these settings in the ACS 5.1? Is there a document describing ACE + ACS 5.1 configuration Ganymede? Thank you
WM
Here is the doc.
Post edited by: jkatyal
-
Administrator rights to the ACS using Active Directory groups
Good afternoon
We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible. If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?
Thanks in advance
You can only use the locally stored accounts within the ACS.
-
Two questions about the ACS 5.1: password aging and allowing multiple disabled accounts
Hello
I test in ACS 5.1 password aging, and I discovered that you can have only one global setting for the password for all the accounts internal life. Is it possible to exclude some internal accounts of this global password aging policy? I would like to have number of accounts, passwords should not be aged at all...
Second question: when I was testing password aging, I set myself to life of password in 4 days with warning after 2 days. All accounts in my test of the ACS configuration are now disabled, because 4 days has passed when I changed it. Is there a possibility to allow multiple accouns at once, or do I have to activate 500 internal accounts manually, one by one?
Thanks in advance
WM
I'm not aware of any way to score internal as users with passwords as enver expire. This is done for admins ensure there is always an admin who can access the system
In order to change the multiple/all documents for internal users, the following approach can be taken:
- Go to the list of internal users and press "Export" then 'Start export' and 'Save file' export user records to a csv file
- Edit the file. In the title 'active' column replace 'FALSE' to 'TRUE' for all records. Save the updated file
- To the page that lists internal users, tap "File Options", select "Update", and then click next to access the section "Import a file" Wizard. Select the file saved in step 2) and tap on finish
Afetr imort is completed, all records of internal user should now display "Enabled".
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
-
Hello all, I have two ACS 3.3 and I try to replicate but it does not work. The topology is something like this:
ACS1<->PIX525<->RouterTelmex - Internet - RouterTelmex<->ASA5540<->ACS2
I test a lot of things, and I guess that the problem is in ASA5540. So the question is: is anyone know which ports need to be opened in ASA5540 to allow replication? I know there must be opening of port 2000, but I think there must be some ports more.
Thank you very much.
Gabriel
Hello Gabriel,
I know, you only need port 2000 to open for replication of the ACS.
BTW, did you skinny inspection enabled on the ASA. The ACS replication is running on port 2000 who also happens be the same port as the Skinny Protocol. Make sure that he lean on the two firewall inspection is disabled and see if you can get the replication.
no correction protocol 2000 skinny
I hope it helps.
Kind regards
Arul
* Please note all useful messages *.
->->->->
Maybe you are looking for
-
Portege M200 - device unknown in Device Manager
I did a clean install of Windows XP on my toshiba portege m200 (Tablet). I have most of the devices drivers installed, but there is one that I can't understand. The device manager says I have an "unknown device" on my "Intel 82801 dbm lpc interface c
-
Keyboard does not not on my macbook pro
Hello. I have an early 2011 MBP 13 inches. I've never touched the battery on my mac, even if I did some updates in the past. Now just tonight. I was using the mouse as usual for some reason any. I'm not able to operate the keyboard and the touchpad a
-
Satellite L350-277 - WLAN connection disconnect
Hello I wonder anyone can help me, my system keeps disconnected internet for every 30-40 minutes. I use a modem to use home wireless internet for two laptops. The other laptop works perfectly fine, but keep this Toshiba cut for an unknown reason. He
-
copy on the printer button does not work
I have Deskjet F2480 printer and I get no response when you press the buttons copy, b & w or color. I just totally updated my drivers and softward version 14 and it did not help. With my other computer and version 13 software, a few months ago the bu
-
Pavilion m7567c: no hp 7567
So just an update I tried to see what has increased, and when I click on the "speaker" icon it happens "no output device is installed" any help would be greatly appreciated. Thank you