Introduction
ACS 5.3 - Unable to Re-Register Secondary to Primary, Registration failed
Scenario
User ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while user had the primary down. All was fine until user brought the primary back up and tried to re-register the secondary to it. User got the following error message:
Under System Administration >Operations >Distributed System Management on each and it showed the other device as deregistered, tried to promote from there but it failed too, so deleted them and tried to register the secondary again. Rebooting both ACS but didn't help. The user/pass, both the IP address and the hostname is correct.
ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.3.0.40.5
Internal Build ID : B.839
Patches :
5-3-0-40-5
Solution
GUI credentials of super-admin are used to register secondary to primary.
SuperAdmin:
The Super Admin role has complete access to every ACS administrative function. If you do not need granular access control, this role is most convenient, and this is the role assigned to the predefined ACSAdmin account.
This role has Create, Read, Update, Delete, and eXecute (CRUDX) permissions on all resources.
Administrator Accounts and Role Association
Administrator account definitions consist of a name, status, description, e-mail address, password, and role assignment.
Note It is recommended that you create a unique administrator for each person. In this way, operations are clearly recorded in the audit log.
Administrators are authenticated against the internal database only.
You can edit and delete existing accounts. However, the web interface displays an error message if you attempt to delete or disable the last super administrator.
Only appropriate administrators can configure identities and certificates. The identities configured in the System Administration drawer are available in the Users and Identity Stores drawer, but they cannot be modified there.
Related Information
Problem: Error: "You are not authorized to view the requested page" when ACS 5.x admin with ChangeUserPassword role changes the password
ACS 5.x GUI admin user with the ChangeUserPassword role cannot change the password of the AAA user stored in the internal database. After changing the password, the user receives this pop-up error message: You are not authorized to view the requested page.
Solution
This can occur when the ACS 5.x database is migrated from ACS 4.x. Use the SuperAdmin privilege in order to change the user password. Refer to Cisco bug ID CSCty91045 (registered customers only) for more information.
Reference