ACS Database Replication Configuration!!!

Unanswered Question
Aug 12th, 2010
User Badges:

Dear all,


I want to config 2 ACS Server, one is Primary and the other is Secondary and I have 1500 devices. Now I config 800 devices point to Primary server and 700 devices point to secondary server. Does it work?

If it dont't work,I must config all my 1500 devices point to primary server. My question is "how can I config my 1500 devices point to primary server and if it's failt, my devices can auto point to secondary server?"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
xenoxone11 Sun, 08/15/2010 - 20:45
User Badges:

Must I config secondary server point to Clients? or just config it on primary server?

adam benigar Thu, 08/12/2010 - 13:38
User Badges:

1.  set up all your 1500 devices on the Primary.

2.  set up replication to the Secondary

3.  in your device configs set up the primary ACS first and then the secondary.  See below:


tacacs-server host >
tacacs-server host >


The config will attempt to locate the ACS servers in the order given in the config so the order matters.  If the devices can not reach the primary then it will go down the list until it finds an ACS server that is communicating.


Its probably best not to set the 2 servers up on the same network if possible.

adam benigar Mon, 08/16/2010 - 10:47
User Badges:

1.  Set up the primary server.  Enter in all the device IPs or IP ranges (which ever you prefer), users, groups, etc.

2.  Load ACS on the secondary server.

3.  Set up the servers as replication partners (depends on which version you're running as to how you do this)

          You'll need to configure the primary with the secondary's information and vise-versa.

4.  Once the servers are replicating, the primary server will push all the devices, users, groups, etc to the secondary server.

5.  Then just configure the devices as described in my last post.


Which version of ACS are you running?  If you're not sure, I can tell you how to set each server up to replicate.

xenoxone11 Tue, 08/24/2010 - 09:20
User Badges:

@adam,


Everything is ok! Thank you so much.


But I have just 1 problem. Cisco Secure ACS can use a notification e-mail send to administrator. I tried to config it but...


When I Install the Cisco Secure ACS, it appear an window include e-mail configuration. I disabled it. Now, I finished Installing ACS. And I want to enable notification e-mail. On Cisco ACS Menu, click System configuration -> ACS Service Management -> Check Email notification of event -> Type my Email and SMTP Server Hosname (Operated) -> Submit. But my Inbox doesn't receive any e-mail form ACS. Please help me.I wonder if this problem 's due to the ACS Installation???

adam benigar Tue, 08/24/2010 - 11:08
User Badges:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Do you have either one of the check boxes selected in the SYSTEM MONITORING box above the EVENT LOGGING box?  One of those has to be selected in order for you to receive e-mail alerts.


If one of those is selected then you may want to create an event to test it.  If you still haven't received an alert then you may have to check with your e-mail team so see if there are any restrictions on the SMTP server or if your ACS server has to be authorized by the SMTP server.


I haven't really worked with event logging notifications in ACS all that much so this is about my limit of what I can help with.


Good luck

xenoxone11 Tue, 08/24/2010 - 20:48
User Badges:

Dear adam,


May be you 're right. Cisco Secure ACS is not authorized by SMTP Server.


I have one more problem to see logging files in Cisco Secure ACS. It's Logged-in User Log. Althought logged in to one of my Cisco devices, i haven't see any things in Logged-in User Log. My server is TACACS+ Server, but when I add an AAA Server, I must chose Server Type is Cisco Secure ACS to use Database Replication (TACACS+ does not work whith DBR), and Cisco Devices were configured to work with TACACS+ protocol, so Server's type and Client's type is not match. I also config in AAA Client authorization and accounting using same type - TACACS+. by Reading some documents, it was said that the Logged-in Usre Log just work with RADIUS, is it right?


Thanks for you opinions.

Actions

This Discussion