08-07-2008 12:48 PM - edited 03-10-2019 04:01 PM
Hello
I have Primary ACS in Datacenter-1 and would like to have Secondary-ACS in DataCenter2 in different geographical location.
Is there any other prequisite apart from same hardware / same OS version / Same ACS version???
Any recommendation for such a setup, kindly share your experience.
08-08-2008 03:23 AM
Amin,
None - the hardware and OS do not have to match. The version of ACS does have to match if you are going to replicate - which I suggest you do, no body like to have make config changes twice.
I have a primary ACS server in my primary D/C and my failover in my DR D/C. My primary and DR are in seperate countries.
Just configure on your network devices, both ACS servers and the order you want to sue them. Also the timeouts - when the authenticating device should use the dr when the primary is unavailable.
One more thing - make sure you keep on top of your logging, if you let the logs fill the hard drive, there is a % that triggers the ACS to not authenticate users.
HTH>
08-08-2008 06:59 AM
Thanks Andrew. I too will have ACS in two different countries.
How to configure the timeouts when the authenticating device should use DR.
If the secondary ACS becomes active and you did some changes then, does it replicated to the primary once it back?? < Did you test this >>...
08-08-2008 07:05 AM
You configure the timeouts in the network devices, router, switch firewall etc!
You configure replication to be performed at pre-determined times, or manually.
My ACS servers perform a "Database Replication" once a day, if I need to roll out the change faster, I perform a manual DB replication.
You can configure who replicates to who, and what is replicated i.e users, groups, network objects....
HTH>
08-08-2008 07:29 AM
"None - the hardware and OS do not have to match."
I have to disagree with this. The OS will have
to match as well. For example, let say that you
have the primary ACS4.0.1 running on Windows
2000 server and the secondary ACS 4.0.1 running
on Windows 2003 server. If you have issues
and contact Cisco TAC, I don't think they will
support it.
08-08-2008 07:39 AM
That is a possibility!
But as long as the ACS versions match.....there should be no issues - the primary issue I have found in the past with different ACS versions is - replication errors.
Once the servers that are replication to each other are ALL the same version, purring like a kitten!
08-08-2008 08:36 AM
Thanks....
Cisco System Engineer suggest to have same OS / Same ACS version to avoid issues.
How could you block direct login access on ACS BOX. ( U dont need admin password to get into ACS Management console )
I would have 5 Business Unit Routers / Firewall / Switches under ACS.
I want to configure each Business unit network devices under separate groups ( BU1 will have a group on ACS and all its network devices will be there ) ; How to restrict a specific active-directory group to have acces to this network group. [ Is this possible ]
I m new to ACS, so dont have much Idea, currently all devices under one group.
08-13-2008 05:35 AM
"That is a possibility!"
That is the FACT.
"But as long as the ACS versions match.....there should be no issues"
Since you do not work for cisco, you do not know
that for sure. It is better be safe than sorry.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: