I have been informed that I am to move the ACS 3.3 from one server to another. So I have some basic questions.
1) I am going to do a fresh install and then would like to copy the existing files to the new server.
2) If I can copy all of the files (I feel that I should be able to) what executables do I need to run in order to get ACS running? If the files are copied all of the settings should be in place, correct?
3) I do believe I only need to change onle line of config on the PIX. It is the only line of config I can find related to the IP of the ACS server. Here is the line: aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! time out 10
I am assuming that is the line that needs to be changed on the firewall?
I would like to make this cahnge as seamless as possible. I think I am on the right track but just want to make sure.
Ok, the thing to do is to create an ACS Backup on the existing server.
Then restore the backup onto the new server.
There's one slight issue with this, in the registry there is always a host entry for the ACS server itself. After doing the restore, in the network config, you'll see an entry for the original ACS server - this one can be deleted.
Let me make sure about this. So you are saying i DON'T need to do an install at all. Just do a backup/restore and copy those files to the new server? Or do I still need to do an install and then restore the backup to the new server? What do you think about that config change? I am correct about that, I do beleive. This sounds pretty easy.
I'll let you know.
Thanks for your help so far. I went ahead and setup the new ACS server. It was very easy and presented no problems at all. However, When I point the firewall to the new ACS server I get 403 errors. The users aren't authenticating. The ACS and PIX are communicationg properly. However authentication is not occuring. One thing I noticed on the new ACS server is that the failed authentication reoprts (or any reports)are being written to.
Have you run into that problem before? I believe if the informatio will write to the reports, the problem will be solved.
I am getting a Reason 413. I have pasted a portion of the config below. The new_TACACS+ is the server I am trying to point to. As you can see, the VPNGROUP is pointing to the new ACS but nothing authenticates. The logging still occurs in the old ACS. Should I just remove the old ACS config??
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server new_TACACS+ protocol tacacs+
aaa-server new_TACACS+ max-failed-attempts 3
aaa-server new_TACACS+ deadtime 10
aaa-server new_TACACS+ (inside) host 192.168.172.11 $$TF_acs! timeout 10
aaa accounting match ACCOUNTING outside new_TACACS+
aaa accounting match ACCOUNTING inside new_TACACS+
vpngroup tfipsec address-pool ipsecpool
vpngroup tfipsec dns-server 192.168.172.11 192.168.169.20
vpngroup tfipsec default-domain travelfocus.com
vpngroup tfipsec split-tunnel vpn_in
vpngroup tfipsec idle-time 1800
vpngroup tfipsec authentication-server new_TACACS+
vpngroup tfipsec user-authentication
vpngroup tfipsec password ********
That is the problem. Nothing is being written to the logs. GRRRRR!!!! Cisco has informed me they have never seen this problem before.
OK, try setting the service logging level to max.
After that try a test authentication, then look in the CSRadius & CSAuth service logs files for errors.
Errors have an "E" in the message type field.
There should be a clue there somewhere.