User Password Not Replicated during ACS Replication

Unanswered Question
Jun 14th, 2007
User Badges:

I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.


Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.


How to make sure replication is run even in case of user password change and not just when a user is added or removed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Thu, 06/14/2007 - 04:48
User Badges:
  • Red, 2250 points or more

Hi,

You can force replication to occur upon password change.


In the ACS GUI, go to System Configuration >

Local Password Management--->Remote Change Password----> Enable "Upon remote user password change, immediately propagate the change to selected replication partners"



Let me know if that helps !


Regards,

Jagdeep

magurwara Thu, 06/14/2007 - 05:27
User Badges:

I have tested that but that option is only available for:


"Note: This setting only applies to passwords changed using a User-Changeable Passwords HTML interface, CiscoSecure Authentication Agent, or a Telnet session on a TACACS+ device."


Any other idea why it is not doing it or how to do it?

Jagdeep Gambhir Fri, 06/15/2007 - 05:17
User Badges:
  • Red, 2250 points or more

Hi,

What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?


Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on

configuration/changes in Active Directory itself.



Regards,

Jagdeep




magurwara Fri, 06/15/2007 - 05:21
User Badges:

The users are local to Cisco ACS itself. However, the password is changed on the provisioning system, that in turn changes the password in Cisco ACS.

Jagdeep Gambhir Fri, 06/15/2007 - 06:23
User Badges:
  • Red, 2250 points or more

Hi ,

I'm not sure what do you mean by "password is changed on the provisioning system" ?


Regards,


magurwara Sat, 06/16/2007 - 09:33
User Badges:

We are using Tivoli Identity Manager. The TIM agent installed on the ACS uses the RDBMS feature to modify/add/delete accounts.

Jagdeep Gambhir Mon, 06/18/2007 - 12:14
User Badges:
  • Red, 2250 points or more

Hi,

I would suggest you to try it without using TIM and see if passwords are getting replicated.


If it does then it seems some compatiblity between TIM and ACS.


Let me know the outcome.


Regards,

Actions

This Discussion