ACS synchronization for external database

Unanswered Question
May 8th, 2008
User Badges:

Hi, everyone,


I am implementing two identical ACS 4.0 servers for my customer as RADIUS servers. They will be pointing to existing AD user DB by unknown user policy. Group mapping is done as well.


I just got challenged by my customer to ask me to enable "auto configuration synchronization" between the two boxes. I checked through the manual again and got no hint for this. Anyone can give me some idea on this? Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
Jagdeep Gambhir Thu, 05/08/2008 - 07:58
User Badges:
  • Red, 2250 points or more

Please make sure that replication is setup correctly as per this link,


http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml


1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication


2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.


3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.


4) Ensure that the secondary server has it's replication scheduling set to "manual".


5) Please verify that your servers are all running exactly the same ACS version and build.


6) Also let me know if we have any firewall in between two acs servers.



Regards,

~JG


Do rate helpful posts

xianglingzj Thu, 05/08/2008 - 08:56
User Badges:

Thanks a lot JG.


But are you sure that this can replicates the group mapping for unknown user? Basically the configuration on the ACS are only some NAPs, external DB and unknown user group mapping.

Jagdeep Gambhir Thu, 05/08/2008 - 18:41
User Badges:
  • Red, 2250 points or more

You can use database replication to:


•Select the parts of the primary ACS configuration to be replicated.


•Control the timing of the replication process, including creating schedules.


•Export selected configuration items from the primary ACS.


•Securely transport selected configuration data from the primary ACS to one or more secondary ACSs.


•Update the secondary ACSs to create matching configurations.



The following items cannot be replicated:


•IP pool definitions (for more information.


•ACS certificate and private key files.


•Unknown user group mapping configuration.


•Dynamically-mapped users.


•Settings on the ACS Service Management page in the System Configuration section.


•RDBMS Synchronization settings.


•Third-party software, such as Novell Requestor or RSA ACE client software


Regards,

~JG


Do rate helpful posts


xianglingzj Fri, 05/09/2008 - 00:09
User Badges:

Hi, JG,


It is obvious that the database replication function of the ACS does not meet the customer's requirement. Do you have any suggestion on how to meet the customer requirement?

jorge-mora Thu, 06/26/2008 - 14:12
User Badges:

Hi,



Are these supported and unsupported features documented somewhere in CCO? I'm concerned about the inability to replicate Dynamically-mapped users. I went through the whole ACS SE 4.1 User Guide and didn't find an exact answer.


Thanks for your help!

Actions

This Discussion