Secure ACS 5.7 - adding a secondary server to the primary

Hello.

I recently set up two servers Secure ACS 5.7 primary. I want to make one of the main servers a secondary server. When I try to register at the elementary level, I get the following message:

This failure has occurred: save failed due to invalid certificate. Your changes have not been saved.

Both servers have valid certificates. But other that to extend the validity of the cert, no other changes have been made.

Any ideas please?

Thank you

Daniel

Hello Daniel,.

For the communication of trust option work. It is necessary to use certificates signed by one or the other it external or internal, and add to it, you must import the transmitter respective root/intermediate cases under "users and storage of identity > section"Certificate authorities"on both ACS servers.»

Alternatively, you can choose not not to use the feature "Trust communication" by going in "System Administration > Configuration > global system Options > Trust Communication Settings." and uncheck the check box for the feature.

Note: Please mark responded as appropriate.

Note

Note

Tags: Cisco Security

Similar Questions

  • ACS 5.7 - access to tracking and reporting on a secondary server to the primary server

    My organization has an ACS deployment, consisting of three servers. Currently, the primary ACS server is also the newspaper collector. However, Cisco recommends to a secondary server in the log collector.

    I noticed that I have connection on the secondary server and click on "Monitoring and reporting", I am prompted to connect to the main server because that's where newspapers. I guess if the newspaper collector is on the secondary server and I click on "Monitoring and reporting" of the main server, I will ask you to connect to the secondary server.

    Is there a way of not having to connect twice (once to access the web interface and new access reports)? It seems that deployment of ACS should support a kind of function of single sign-on and once you are connected to a server, gives you access to another without having to log in again.

    Hi David,

    I know that the Cisco documentation mentions the school be the best practical paper collector, however, which in fact means is that the server acting as collector of newspaper should be not authenticate users.

    If your backend is the collector of newspaper that should be fine, as soon as it's not authenticate users (but secondary responds to this task).

    And related to the shift, that of right, independently on the server to which you connect, once you click on "Monitoring and reporting" you will be redirected to the collector of the newspaper and need to connect in it, unless you are currently on the newspaper collector and click on 'tracking and reports.

    SSO between servers would be a good thing but is not available.

    Note: Please mark as answer as appropriate

  • Can we create database of watch on the same server as the primary database

    I have Oracle 10 g Rel2, Windows server 2003 operating system. Can I create backup of database on the same server on which we have our primary database?

    Yes, you can
    You must configure the settings DB_FILE_NAME_CONVERT file
    If the standby database is on the same system as the primary database or if the structure of the directory where data files are located on the standby site is different from the primary site, this parameter is required.
    Please refer to the documentation:
    http://download.Oracle.com/docs/CD/B19306_01/server.102/b14237/initparams048.htm#REFRN10038

    - - - - - - - - - - - - - - - - - - - - -
    Kamran Agayev a. (10g OCP)
    http://kamranagayev.WordPress.com

  • Adding a secondary server of GBA 5.4

    Hello

    My client has an ACS 1121 version 5.4. Now, we want to install a 1121 ACS secondary.

    Can someone help me with the procedure?

    Thank you

    Hi Jonathan,.

    Please follow the user guide:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_operations.html#wp1056068

    The Log collector will be for the entire deployment. It is recommended to have the collector of newspaper on the body that manages less queries AAA.

    To set the Log collector:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_config.html#wpxref50831

    Pawel

  • ACS database does not not after having changed the secondary ip of acs.

    Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.

    When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.

    Any idea what can be the problem?

    Consider these elements when you implement the database replication feature Cisco Secure:

    (1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.

    (2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.

    (3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.

    (4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.

    (5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.

    (7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.

    (8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.

  • implementation of the Hosts file on the server for the entire network?

    I see a lot of information on how to edit the local Hosts file on individual computers. But, is it possible to edit a Hosts file and have effect throughout the network?

    We have a network of a little over half a dozen of Mac mini, who take their DNS information from another Mac Mini running the application server OSX (under El Capitan). This server is the primary DNS machine for the network. I want to implement a Hosts file for the entire network.

    Parental control seems to be broken in OSX El Capitan, so this seems like the best next to us, short option to buy some third-party service, which I prefer not to do.

    I think that dnsmasq installation on your Mac server and configuration of all your computers to use as your "DNS Server" will achieve what you want.

    See osx https://oracle-base.com/articles/misc/dnsmasq-for-simple-dns-configurations-mac-

    Why do you feel you must do this?

  • ACS secondary server does not authenticate users through 3850 WLC

    HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline.  My configuration is:

    3850 WLC by using the code version 03.07.00E

    ACS Version 5.6 (primary/secondary)

    The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH).  List of the ACS_AUTH method is then applied to the SSID.

    A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access.  Communication IP/Radius is operational between WLC and two ACS servers.

    configuration of 3850 also attached for reference.

    Any help would be appreciated.

    Thank you

    Scott

    Please add the below listed orders and test again when you can.

    Server radius # deadtime $min$
    retransmission of radius-# 1 Server
    # Server radius-dead-criteria times 5 tent 1

    Configuring settings for all RADIUS servers

    HTH

    ~ Jousset

  • Cisco Secure ACS Solution Engine ping

    1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

    2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

    By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

    For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

    http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

    Rgds,

    AK

  • Secure ACS unit and Remote Agents

    Hello

    We test Secure ACS 3.2 device and authentication against AD via remote agents. When two or more remote agents are registered with the device in the network menu, is the pretty smart device to try the second machine remote agent if she can't talk to the first? We tested this failover by stopping the service of the remote agent on the first domain controller where it has been installed. However, failover does not occur. We want to know if this failover is supposed to work, and if so what we need to do to make it work.

    Yoshi Nagase

    Hello

    I implement a solution similar to yours... 2 ACS unit with 2 Remote Agent...

    I set the remote agents on the Network Configuration and the external user DB - database of Windows - Windows Remote selection of the Agent.

    In this menu the value primary and secondary Remote Agent

    HTH

    Omar

  • ASA - added a public server and it is limited to this traffic

    I added an internal e-mail server to a whole new ASA5510 today.  I used the GUI because it is a fairly simple installation.  In any case, I added a mail server to allow the port 25 inbound on an address static nat dedicated to this server.  But now, this server can not do anything on the internet: the navigation or search DNS, etc..  The server is also the internal DNS server.  I'm probably missing?

    Hello

    It not on MAC address about proxy arp

    • Addresses on the same network as the interface is mapped.

    If you are using addresses on the same network that the mapped interface, the ASA uses proxy ARP to respond to all ARP requests for mapped addresses, thus intercepting traffic destined to a mapped address. This solution simplifies the delivery because the ASA is not to be the gateway for all additional networks. This solution is ideal if the external network contains a sufficient number of free addresses, a consideration if you are using a 1:1 translation as dynamic NAT or static dynamic NAT PAT greatly expands the number of translations, which you can use with a small number of addresses, so even if the addresses available on the external network is small, this method can be used. For PAT, you can even use the IP address of the mapped interface.

    Note If you configure the mapped interface to be any interface and you specify an address that is mapped to the same network as one interfaces mapped, then address topographiee in an ARP request for who arrives on a different interface, then you must manually configure an ARP entry for this network on the interface of penetration, by specifying its MAC address (see the arp command). Normally, if you specify an interface for the mapped interface, then you are using a single network for addresses mapped, so that this situation would not occur.

    • Addresses on a single network.

    If you need more addresses available on the mapped interface network, you can identify the address on a different subnet. The upstream router needs a static route for mapped addresses that points to the ASA. Otherwise for routed mode, you can configure a static route on the SAA for mapped addresses and then redistribute the route using your routing protocol. For transparent, if the real host is directly connected, configure the static route on the router upstream to point to the ASA: specify the IP address of the bridge group. For remote hosts in transparent mode, in the static route on the router upstream, you can also specify the IP address of router downstream.

    Mapped addresses and routing

    http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html

    HTH

    Sandy

  • Secure ACS: Special-attributes RADIUS for Enterasys E7

    Hello

    We were in a pretty old version of the Cisco Secure ACS for AAA our network devices.

    Unfortunately, the server crashed a needed to install and configure it with a new server.

    GANYMEDE + for our devices using Cisco works very well.

    We have a couple of switches made by a seller called Nexans, which support only the RADIUS - it works fine also.

    In addition, we have still a few E7 Enterasys and with those RADIUS does not at all.

    Sniffering packages, everything looks good.

    With the old server has worked well.

    Does anyone know if there are special configurations (attributes, for example) when you configure a GBA for the RADIUS Enterasys customers?

    Thank you

    Rolf

    Try this

    ID attribute [011] filter to ' Enterasys:version = 1:mgmt = su:

  • With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

    I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
    and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

    I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
    When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
    on the field, etc.).

    I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

    If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

    02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

    I scoured google etc and just cannot come up with any reason why this should be the case.
    I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
    so am eager to know if someone can help me with this one!

    Thanks and greetings

    Sharan

    George,

    Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

    64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

    ACS 4.2.1.

    -Jesse

  • Cisco Secure ACS 5.1 and strong authentication ACS administrators?

    Hello

    Is it possible to authenticate administrators using an RSA SecurID token?

    There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

    (I'm under Server Secure ACS 5.1.0.44)

    Thank you

    Christophe

    Hi Christophe,

    Unfortunately not.

    The DB supported only for accounts of Administractors is the internal DB of GBA.

    I hope this helps.

    ARO
    Tiago

  • Cannot replicate from the primary to the secondary servers ACS

    I have a primary ACS server and secondary and trying to replicate the primary database to the secondary.  When I do, the seconary reports 'inbound replication of database of ACS '' denied - shared secret mismatch. "  I believe that this refers to the shared secret, as I walked to the encryption of the database during installation.  Is it possible to change this secret shared without having to reinstall?  (Note that this isn't the key to AAA listed for itself in the Network Configuration).

    Version is 4.1 on Windows Server 2003.

    What version of acs do you use, and it is in fact the shared secret for the AAA servers and not the shared secret for the encryption of the database. There is a known bug, if you look at the free entry on the two instances of the acs is either one of them shows a loopback address and not the real ip address? If Yes, then you hit the bug I mentioned. The best way to solve it is to access the console as and change the ip address (for example to enable the dhcp pull an ip address and let the services restart). Then go back into the box and assign the static ip address you used. Services once to return to verify that the entered car now has the correct ip address (physical and not looping) and test your replication again.

    Thank you

    Tarik

  • CiscoSecure ACS RADIUS logs upload on FTP Server v4.2

    Hello

    I use an appliance v4.2 CiscoSecure ACS, in this sort as RADIUS logs upload on FTP server because it has limitation for storing RADIUS logs.

    Please advice.

    Thank you

    AS

    You can only configure logging remotely. The Cisco Secure ACS Solution engine devices configured to use remote agent send the record directly on the logging of remote agent service, CSLogAgent data. CSLogAgent wrote logging hard disk data to the location specified by the configuration provider. The logs contain the columns specified by the configuration provider.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp703058

    Jatin kone
    -Does the rate of useful messages-

Maybe you are looking for