Second register ACS ACS primary 5.2 4.1

We have two servers, ACS, they primary operation for two system. Now, we want to provide a unified authentication, but we warries on a different version of the CSA.

ACS 4.1 can enroll in ACS 5.2 as secondary?

If they can, how?

Servers PS:TOW ACS has different base license and license add-on from blockbuster.

It is not possible. While the versions 4.x and 5.x times provide similar functionalists, they have very significant differences. For example, version 4.x runs on top of the Windows OS and has no license while the 5.x version runs as an application installed on the Linux based Cent OS. Thus, if you wish to 4.x to 5.x, you perform a migration.

Thank you for evaluating useful messages!

Tags: Cisco Security

Similar Questions

  • Register with different versions of the CSA to Cisco ACS primary

    Hello, I updated a backup unit of two ACS to the 5.4.0.46.0a version first I changed it to standalone, and now I'm trying to save for the main CSA that is running the 5.1.0.44.2 version

    And I get this error

    This failure has occurred: com.cisco.nm.acs.im.certificate.Certificate; incompatible local class: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved. Click OK to return to the list page.

    What can I do to solve it?

    Kind regards

    The primary and the secondary must be run on the same code.

    Jatin kone
    -Does the rate of useful messages-

  • Cannot save an ACS secondary for replication of ACS primary 5.2.

    Hello

    I hope someone can help me.  Currently, I have two devices Cisco ACS and both are classified in the PRIMARY.  The first ACS is running version 5.2.0.26 while the second ACS is running version 5.3.0.40.

    My original thought was to install the first ACS and do serve primary and have it replicate its data on the ACS SECONDARY.  Somehow, after installation, the ACS are now listed as PRIMARY.  When I go into secondary ACS under Deployment Options to try to save it in elementary school, I get the following error message:

    "This failure has occurred.  Failed to authenticate with node.  Your changes have not been saved. »

    Even if I try this GBA primary to save it for the secondary ACS, I get the same error message.  I tried all passwords including the credentials of the admin super user, my credentials for the administrator and the credentials provided to SSH in ' GBA and nothing is helping.

    Reading online, I read there was a way to remove an ACS secondary, but I don't have the ability to add this server in the primary for "bump it down" to a secondary antibody hoping to save it for the primary ACS.

    If anyone can give me some pointers, I would greatly appreciate.

    Thank you, and all have a wonderful day.

    THERE

    Yvonne,

    If the identifier is the same then definitely replication does not work, you will not be able to enroll in primary school if the license is the same. The good side is that you have the other license, you only need to install.

    However I have more bad news, the only way to re - install a license file in ACS 5.x uses the CLI command 'acs reset-config', but it will also delete all of the configuration that you have on this server, except the network configuration (IP, gateway, DNS, etc.)

    After entering this command if you are trying to access the GUI, you should not use the name of user and password acsadmin/default, then you will be asked to locate the license file.

    Here is a document with this information where you need it:

    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html#wp1052906

  • Move the app lost on monitor second failure at the primary?

    My second monitor has failed, and the applications that I had moved to this form are no longer accessible.  How can I move their return on the primary monitor to work without being able to see drag?

    My second monitor has failed, and the applications that I had moved to this form are no longer accessible.  How can I move their return on the primary monitor to work without being able to see drag?

    Hello

    If you have disconnected the monitor failed, a click right on desktop and select Screen Resolution.

    In the dialog box, click the drop of multiple views . Select the option show desktop only on 1 .

    I hope this helps.

    Thank you for using Windows 7

    Ronnie Vernon MVP

  • ACS SE - domains Windows AD

    Can I use groups of network devices ACS to have one device acting as authenticator ACS two Windows domains to 802. 1 x for a single switch?

    Hope the question makes sense but to put it a little more meat on the issue:

    I have a single ACS device that I try to use for authentication of 802. 1 x on a switch. The problem is that I want to have the part of allocation of VLAN implementation allocated through the ACS server on the control dependant users with an account domain, but we have two domains without trust between them. the remote agent in ACS to should not be installed on servers in different domains and that two agents available are for resiliance only, so does not fit this unfortunatley.

    That's why I finished watching with several groups of devices.

    someone at - it ideas if this will work or if there is another way to make this work.

    Hello

    ACS cannot authenticate 'natively' in 2 different domains that do not have a defined relationship. If this is not possible, then you must make 2 ACS servers, one in each area. Configure the ACS 'primary' to the 'secondary' server proxy queries based on the provided field.

    This would require a second server ACS be set upwards (you will probably pay an additional fee for the second ACS server). You do not want to configure a proxy distribution table. This would require the user explicitly indicate the domain name with their user name.

    Kind regards

    ~ JG

    Please evaluate the useful messages

  • Devices configured for authentication under ACS

    Hi friends,

    Would like to know how many devices can be configured for authentication under ACS version 5.6.0.22 (Cisco Secure Network Server 3415).

    I'm not able to find the same everywhere.

    Concerning

    JN

    Hello

    It depends on the license that you install on the ACS 5.6.

    All deployments of 5.6 ACS supports customers AAA 100 000, 10,000 network, 300,000 users and 150 000 host device groups. 5.6 ACS collector server log can handle 2 million records per day and 750 messages per second for stress sent by the various nodes of ACS in the deployment on the server of log collector.

    Please visit this link:

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

    With the Base license, a Cisco Secure ACS 5.6 appliance or virtual machine software can support the deployment of up to 500 devices of access network (DNA) such as routers and switches. These are not authentication, authorization and accounting clients (AAA). The number of network devices is based on the number of unique IP addresses that are configured. The limit of 500-device is not a limit for each individual device or the instance, but a limit of scale that applies to a set of instances of Cisco Secure ACS (primary and secondary instances) that are configured for replication.

    The optional add-on of large deployment license allows deployment to support over 500 network devices. Only one major deployment license is required by the deployment because it is shared by all instances.

    Please visit this link:

    http://www.Cisco.com/c/en/us/products/collateral/security/secure-access-...

    Kind regards

    Aditya

    Please evaluate the useful messages.

  • Upgrade from 5.0 to 5.2 ACS

    Hello

    Currently, I would like to upgrade an ACS primary / secondary 5.0.0.21.6 to the latest version 5.2

    The documentation says to use the recovery for the 5.1 CD provisional and then upgrades 5.2. Is this the same as the ISO image, which you can download from CCO?

    This will cause a problem with the license that you are actually broken box?

    Is it possible to use the ftp repository to make the upgrade without using an ISO / restoration disk image? What keeps intact licenses?

    When you upgrade you restore type "router" configuration and databases on both devices of the CSA? I guess that the answer to this depends on if the recovery / ISO image is used.

    Should I expect my primary / secondary relationship works on 5.1 or can I do each a 5.0 to 5.1 5.2 all in one fell swoop can sort out the primary / secondary ACS distributed environment?

    Thanks for any help on this

    Mark

    The recovery image would be an ISO format and upgrade would be a .tar format. Yes, these files can be downloaded EAC.

    You have read the correct procedure. After reimage, you must reinstall the license.

    We cannot use FTP for ACS 5.0---> ACS 5.1 upgrade. We have to reimage here, no other way.

    backup

    To perform a backup (including data ADE OS as host name, IP address) and place the backup in a repository, use the backup EXEC mode command.

    backup backup-name-name of the repository repository

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/command/reference/cli_app_a.html#wp1888749

    backup GBA

    To save a configuration ACS (not including the data of the BONE of the ADE), use the backup of the acs in EXEC mode command.

    repository backup backup-filename ACS repository-name

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/command/reference/cli_app_a.html#wp1886805

    Upgrade can be done while we both GBA in sync, you must unregister and register them again.

    I hope this helps.

    Kind regards

    Jousset

    The rate of useful messages-

  • ACS 5.3 should consider a local database, if the ad is inaccessible

    Dear support team

    We have ACS 5.x, integrated with AD and members are authenticated using AD user name or local user name

    configured on ACS.

    is it possible that ACS checks the local database only when AD is unreachable, customer doesn't want local database ACS to use as long as AD is available. It's the accounting requirements of their Department system.

    Thanks in advance for your time.

    Ahad

    You're right about everything except the last part, device Admin 1 and 2 are "Selection rules", so they'll be mapped according to their Conditions, if applications authentication is rule Eric the device Admin 1 then the ACS will stay with this service regardless of whether or not the DB is down, ACS will not return to the device Admin 2.

    The only option to use a second database where the primary is down is with identity store sequence, but this option will also use the second database if the primary DB is unable to find the user.

    Unfortunately, there is not an option at the moment to accomplish this objective with specific detail you need.

    Rate if this can help.

  • ACS redundancy configuration

    Hi all

    I need to set up a new CAs as ACS secondary

    (1) that we have therefore need to configure the new ip address of the ACS server on all switches?

    (2) if the primary acs is disconnected so how high will work as primary?

    Thank you & best regards

    Hi Adam,.

    (1) Yes, you must configure the IP address of all RADIUS servers on your switches so that they can be authenticated by the servers of Ganymede according to group aaa of the device to the network. The two ACS servers in a cluster do not share a virtual IP address.

    (2) if the primary ACS is disconnected then it will not work as a primary school. What concerns the rest of the ACS primary school which sank. You will not be able to make most of the changes without return to the deployment options and return to Local Mode or promote on primary.

    Local mode means that your data will be removed an existing cluster. Switch to the main ways that the primary and secondary servers reverse roles. What you would do in general during a break is to work in Local Mode and when the primary is restored, it could save the secondary back to the primary to be synchronized with the primary.

    If you want to save changes to the secondary image (Server B) that have been performed then the primaries have declined (Server A), you must turn primary with Promote to primary B, add as secondary and after the sync switch roles between them by promoting A main.

  • Secondary ACS do not authenticate

    I have 2 ACS 1113 devices running 4.1 Build 24 (1). The first is the main and replica nightly on the secondary to our DR. Although in different places, they are both in the same VLAN with no. firewalls or an in-between of the lists to access them. All my devices will be authenticate with my primary ACS unless it is down, in which case they must authenticate the ACS secondary. The problem is that I have no problem with authentication on my ACS primary, but I can't get anything to authenticate to my high school (after the primary decision-making down to test). In trying to authenticate to my high school, I get no newspaper for authentication successful or failed after that my attempts fail. In addition, during my attempts fail, I try to log into devices locally and my authorization fails - again with no journal of the ACS. However, when I remove the NDG in the ACS secondary, I'm able to log on locally on the network device.

    I believe that with the device the NDG in the breast of the CSA, there is a communication omitting my attempts (although it does not connect anything) since I can take the device off that NDG and transmit local authentication. I was running code 4.0 with the same question and thought that the update should fix the problem... but obviously, I have something to do else here.

    Any comments or suggestions would be greatly appreciated.

    This on seconday acs.

    ACS---> configuration network ===> table Proxy Dis---> click default ===> if you see delivenrance 1 to the aaa Server---> drag it to 'Prior to'---> and what is there under forward to---> Drag it server aaa--> submit + apply.

    It should work now.

    If you do not see distribution proxy option then go to GBA--->---> advanced option interface configuration---> enable the distributed array.

    That should fix it.

    Kind regards

    ~ JG

    Note the useful messages

  • ACS WORKS, BUT NOT THE GRAPHIC WEB INTERFACE

    I have a worm ACS 5.4.0.46.7 running on a device, ACS-1121-K9. After the restart of a Win2008 controller it has stopped working and someone in my Department and restarted the ACS. It seems that authentications are working now, but I can't access the web gui. It answers ping and ssh. I did a web show acs-config-Interface and the display Interface has been disabled, I allowed him but it still does not work:

    TBGACS02 / admin # show interface web-config-acs
    interface of migration is disabled
    the UCP interface is disabled
    display interface is enabled
    REST interface is disabled

    TBGACS02 / admin # display the status of the acs application

    Role of the ACS: PRIMARY

    Process of database ' ' running
    Treat the race of 'management' (HTTP is insensitive)
    Unguarded "runtime" process
    "Adclient" process running
    'Ntpd' running process
    "View-database" running process
    The "view-jobmanager" process execution failed
    "View-alertmanager' running process
    "Notice-collector' running process
    "View-logprocessor' running process

    I could try to restart again, but I'd rather not if possible...

    Hello

    Can you try 'application acs stop' and then start CSA application and see if that solves the problem?

    If this isn't the case, then I suggest to take a show technician and support bundle, prosecute with TAC.

    Kind regards

    Kanwal

    Note: Please check if they are useful.

  • The physical size of ACS db is more than 50% of its actual size. (ACS version: 5.5.0.46)

    Since the Migration to ACS 5.5.0.46 we continue to see the following message appears in the Inbox of alarm

    Cisco Secure ACS alarm (REVIEW): the physical size of ACS db is more than 50% of its actual size.

    Cisco Secure ACS - Alarm Notification

    Severity: critical

    		  

    Name of the alarm

    System alarm [purge the database]

    Cause/trigger

    The physical size of ACS db is more than 50% of its actual size.

    Alarm details

    The physical size of ACS db is more than 50% of its actual size de.the size will be reduced after the purge ACS transaction log and compress ACS db.

    September

    Mon Mar 17 05:00:06 THIS 2014

    ACS view Compression and backup database is set up and runs without error:

    The work of backup stores a maximum of 4 months to a FTP server.

    Backup: monthly

    Incremental: weekly

    DB: Compression enabled

    Purge and incremental backup history   
    Name Start Time End Time Status
    DatabasePurge-Job Mon Mar 17 04:00 THIS 2014 Mon Mar 17 04:00 THIS 2014 Completed

    as far as I can see the CLI avoid a DB oversized:

    ACS21/acsadmin(config-ACS) # acsview show-dbsize
    Actual size of DB (bytes): 1585192960
    Real DB size (GBs): 1.48
    DB size (bytes): 1605386240
    Physical size DB (GBs): 1.5
    Physical ACSviewlog file size (GBs): 0
    Output ACS21/acsadmin(config-ACS) #.

    ACS21 / admin # display the status of the acs application

    Role of the ACS: PRIMARY

    Process of database ' ' running
    'Management' running process
    'Runtime' running process
    "Adclient" process running
    'Ntpd' running process
    "View-database" running process
    "View-jobmanager' running process
    "View-alertmanager' running process
    "Notice-collector' running process
    "View-logprocessor' running process

    Looking at the user guide:

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#wp1065174

    "The ACS database must be compressed during the maintenance operation. You can run the command acsview-db-compress acs-config mode to reduce the physical size of the database of view when there is a difference between the physical size and the actual size of the database to view. ACS 5.5 stops only the collector newspaper services during compress the operation and will be operational after the compression operation is complete. You must enable the recovery of the newspaper feature retrieve messages received during the compression of database operation.

    In ACS 5.5, database compression operation is automated. You can check the box enable ACS view compress database to compress the ACS database view automatically daily at 05:00 the compression of database operation is executed every day automatically at 05:00 whenever needed. »

    I tried to manually compress DB by "acsview-db-compress' with no effect.

    Hello

    You are running in the CSCum51180bug. The alarm should be a warning, not criticism and should be triggered only when the physical size is greater than the actual size of more than one gigabyte (in your case, the difference is very small, 1.5 vs 1.48).

    The fix must be present on a future update.

    Javier Henderson

    Cisco Systems

  • Number of certificate to ACS secondary

    Hello

    We distributed the deployment model ACS where primary ACS can do the role of configuration and secondary ACS made the oversight role.

    Our certtificate of root has been exceeded two days back and we have installed this kind of forgot to install on secondary ACS primary GBA.

    For this reason, our some wirless useers could not connect wireless with authentication with fail messages.

    So my question is, ACS primary and secondary are accepting the request of AAA and you answer that we use the deployment of didtributted model.

    Or can share any document from cisco that shows this?

    The WLC send the primary ACS server authentication and will only use the secondary image if there is no response from the primary. The WLC is not fail the primary unless the secondary does not respond or if you have active relief in which the WLC will check if the primary is in place.

    Sent by Cisco Support technique iPhone App

  • ACS version 3.3

    Hi, in our environment, we have Cisco ACS v3.3 in windows 2003 and try to improve v4.1.4 ACS. but that v3.3 on v4.1.4 data replication is originally a question.

    Pls let know us is there a way to make the replication of data with this different code.

    Thank you

    Gopinath V

    Hi Gopinath,

    For the replication process, primary & secondary servers should be in the same version.

    Please upgrade primary & secondary to 4.1.4 and initiate replication.

    Excerpts from the User Guide:

    "All of the SACRED that is involved in replication must run the same version of the ACS software. For example,.

    If the ACS primary runs ACS version 3.2, all secondary ACSS should work ACS version 3.2.

    Because patches can introduce significant changes to the internal database of ACS, we strongly

    "recommend that ACSS involved in replication use the same patch level.

    If the two ACS (primary & secondary) are in the same version, and still you are facing some questions, let me know.

    Thank you

    Séverine

  • Cisco ACS 1113 v4.0.1.44 possibilities of reproduction have 1120 and 2nd 1113

    Hello

    We currently have 1 ACS SE 1113 running the 4.0.1.44 version that we are unable to take the Live service and we want to install a 2nd one for replication and resilience (and have the resilient pair running the 4.2.0.124 version).

    We had the following put at our disposal for this purpose an ACS SE 1113 and a CSACS 1120 times 4.2.0.124 the version currently running.

    Could you please tell if the following downgrade/upgrade process is valid (I see that the CSACS1120 does not suppot version 4.0 or 4.1).

    1. the downgrade 2nd ACS SE 1113 to version 4.0.1.44

    2. the replication between the 1113 establishment is so we now have our on-line data on both boxes.

    3. take the primary ACS out of service and confirm secondary now handles all requests.

    3. switch to level our primary ACS to version 4.1, then to the 4.2.0.124 version

    4. bring the ACS primary in-service and see works then take secondary ACS decommissioned for upgrade to version 4.1 and 4.2.0.124

    5 confirm replication now working at the 4.2.0124 version.

    Are there other methods possible to migrate our existing data directly from our existing of 1113 to one of the other devices (1113 and 1120) 4.2.0.124 running without going through the process of decommissioning/updated above.

    Thanks in advance for your help.

    Jim.

    Hi Jim,.

    I understand that you have 3 devices - 2 ACS ACS 1113 and 1120 1.

    ACS1 - 1113 4.0.1.44 - running in production.

    ACS2 - 1113 4.2.0.124 - lab running.

    ACS3 - 1120 4.2.0.124 - running in the laboratory.

    You want to configure the replication in the production environment and the transfer of the backup of the ACS1 to 4.2.0.124.

    The path mentioned in the post is correct.

    You can try to do the following:

    take backup of the ACS1. Install ACS for windows 4.0.1.44 in the laboratory. Restore the backup of the ACS1. Upgrade the windows of the ACS to 4.1.1.24 and then to 4.2.0.124 in maintaining the database.

    Restore the database on ACS2 and ACS3. Configure replication for ACS2 and ACS3.

    Take a time out and replace ACS1 with the pair of replication of ACS2 and ACS3.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this message as answered if you feel that your query is resolved. Note the useful messages.

Maybe you are looking for