cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
8
Replies

User Password Not Replicated during ACS Replication

magurwara
Level 1
Level 1

I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.

Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.

How to make sure replication is run even in case of user password change and not just when a user is added or removed.

8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

Hi,

You can force replication to occur upon password change.

In the ACS GUI, go to System Configuration >

Local Password Management--->Remote Change Password----> Enable "Upon remote user password change, immediately propagate the change to selected replication partners"

Let me know if that helps !

Regards,

Jagdeep

I have tested that but that option is only available for:

"Note: This setting only applies to passwords changed using a User-Changeable Passwords HTML interface, CiscoSecure Authentication Agent, or a Telnet session on a TACACS+ device."

Any other idea why it is not doing it or how to do it?

Hi,

What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?

Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on

configuration/changes in Active Directory itself.

Regards,

Jagdeep

The users are local to Cisco ACS itself. However, the password is changed on the provisioning system, that in turn changes the password in Cisco ACS.

ACS version 4.0(27)

Hi ,

I'm not sure what do you mean by "password is changed on the provisioning system" ?

Regards,

We are using Tivoli Identity Manager. The TIM agent installed on the ACS uses the RDBMS feature to modify/add/delete accounts.

Hi,

I would suggest you to try it without using TIM and see if passwords are getting replicated.

If it does then it seems some compatiblity between TIM and ACS.

Let me know the outcome.

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: