Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
0
Helpful
9
Replies

Moving ACS to a new server

Scott Payne
Level 1
Level 1

‎10-31-2006 06:11 AM - edited ‎03-10-2019 02:49 PM

I have been informed that I am to move the ACS 3.3 from one server to another. So I have some basic questions.

1) I am going to do a fresh install and then would like to copy the existing files to the new server.

2) If I can copy all of the files (I feel that I should be able to) what executables do I need to run in order to get ACS running? If the files are copied all of the settings should be in place, correct?

3) I do believe I only need to change onle line of config on the PIX. It is the only line of config I can find related to the IP of the ACS server. Here is the line: aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! time out 10

I am assuming that is the line that needs to be changed on the firewall?

I would like to make this cahnge as seamless as possible. I think I am on the right track but just want to make sure.

Thanks,

Scott

Labels:
0 Helpful
9 Replies 9

darpotter
Level 5
Level 5

‎10-31-2006 07:22 AM

Ok, the thing to do is to create an ACS Backup on the existing server.

Then restore the backup onto the new server.

There's one slight issue with this, in the registry there is always a host entry for the ACS server itself. After doing the restore, in the network config, you'll see an entry for the original ACS server - this one can be deleted.

Darran

0 Helpful

Scott Payne
Level 1
Level 1
In response to darpotter

‎10-31-2006 07:30 AM

Let me make sure about this. So you are saying i DON'T need to do an install at all. Just do a backup/restore and copy those files to the new server? Or do I still need to do an install and then restore the backup to the new server? What do you think about that config change? I am correct about that, I do beleive. This sounds pretty easy.

I'll let you know.

Thanks.

0 Helpful

darpotter
Level 5
Level 5
In response to Scott Payne

‎11-06-2006 09:29 AM

You definately need to do another install... otherwise you wont have anything onto which you can restore your config!

0 Helpful

Scott Payne
Level 1
Level 1
In response to darpotter

‎11-07-2006 06:18 AM

darpotter,

Thanks for your help so far. I went ahead and setup the new ACS server. It was very easy and presented no problems at all. However, When I point the firewall to the new ACS server I get 403 errors. The users aren't authenticating. The ACS and PIX are communicationg properly. However authentication is not occuring. One thing I noticed on the new ACS server is that the failed authentication reoprts (or any reports)are being written to.

Have you run into that problem before? I believe if the informatio will write to the reports, the problem will be solved.

0 Helpful

darpotter
Level 5
Level 5
In response to Scott Payne

‎11-09-2006 06:34 AM

Hi

whats in the failed attempts report?

0 Helpful

Scott Payne
Level 1
Level 1
In response to darpotter

‎11-10-2006 06:43 AM

I am getting a Reason 413. I have pasted a portion of the config below. The new_TACACS+ is the server I am trying to point to. As you can see, the VPNGROUP is pointing to the new ACS but nothing authenticates. The logging still occurs in the old ACS. Should I just remove the old ACS config??

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server new_TACACS+ protocol tacacs+

aaa-server new_TACACS+ max-failed-attempts 3

aaa-server new_TACACS+ deadtime 10

aaa-server new_TACACS+ (inside) host 192.168.172.11 $$TF_acs! timeout 10

aaa accounting match ACCOUNTING outside new_TACACS+

aaa accounting match ACCOUNTING inside new_TACACS+

vpngroup tfipsec address-pool ipsecpool

vpngroup tfipsec dns-server 192.168.172.11 192.168.169.20

vpngroup tfipsec default-domain travelfocus.com

vpngroup tfipsec split-tunnel vpn_in

vpngroup tfipsec idle-time 1800

vpngroup tfipsec authentication-server new_TACACS+

vpngroup tfipsec user-authentication

vpngroup tfipsec password ********

0 Helpful

darpotter
Level 5
Level 5
In response to Scott Payne

‎11-10-2006 02:13 PM

What is in the authen failure code column of the failed attempts report in ACS?

0 Helpful

Scott Payne
Level 1
Level 1
In response to darpotter

‎11-11-2006 10:19 AM

That is the problem. Nothing is being written to the logs. GRRRRR!!!! Cisco has informed me they have never seen this problem before.

0 Helpful

darpotter
Level 5
Level 5
In response to Scott Payne

‎11-12-2006 12:37 PM

OK, try setting the service logging level to max.

After that try a test authentication, then look in the CSRadius & CSAuth service logs files for errors.

Errors have an "E" in the message type field.

There should be a clue there somewhere.

0 Helpful
Customers Also Viewed These Support Documents