06-14-2007 04:09 AM - edited 03-10-2019 03:12 PM
I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.
Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.
How to make sure replication is run even in case of user password change and not just when a user is added or removed.
06-14-2007 04:48 AM
Hi,
You can force replication to occur upon password change.
In the ACS GUI, go to System Configuration >
Local Password Management--->Remote Change Password----> Enable "Upon remote user password change, immediately propagate the change to selected replication partners"
Let me know if that helps !
Regards,
Jagdeep
06-14-2007 05:27 AM
I have tested that but that option is only available for:
"Note: This setting only applies to passwords changed using a User-Changeable Passwords HTML interface, CiscoSecure Authentication Agent, or a Telnet session on a TACACS+ device."
Any other idea why it is not doing it or how to do it?
06-15-2007 05:17 AM
Hi,
What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?
Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on
configuration/changes in Active Directory itself.
Regards,
Jagdeep
06-15-2007 05:21 AM
The users are local to Cisco ACS itself. However, the password is changed on the provisioning system, that in turn changes the password in Cisco ACS.
06-15-2007 05:25 AM
ACS version 4.0(27)
06-15-2007 06:23 AM
Hi ,
I'm not sure what do you mean by "password is changed on the provisioning system" ?
Regards,
06-16-2007 09:33 AM
We are using Tivoli Identity Manager. The TIM agent installed on the ACS uses the RDBMS feature to modify/add/delete accounts.
06-18-2007 12:14 PM
Hi,
I would suggest you to try it without using TIM and see if passwords are getting replicated.
If it does then it seems some compatiblity between TIM and ACS.
Let me know the outcome.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: