Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Moving ACS to a new server

I have been informed that I am to move the ACS 3.3 from one server to another. So I have some basic questions.

1) I am going to do a fresh install and then would like to copy the existing files to the new server.

2) If I can copy all of the files (I feel that I should be able to) what executables do I need to run in order to get ACS running? If the files are copied all of the settings should be in place, correct?

3) I do believe I only need to change onle line of config on the PIX. It is the only line of config I can find related to the IP of the ACS server. Here is the line: aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! time out 10

I am assuming that is the line that needs to be changed on the firewall?

I would like to make this cahnge as seamless as possible. I think I am on the right track but just want to make sure.

Thanks,

Scott

9 REPLIES
Silver

Re: Moving ACS to a new server

Ok, the thing to do is to create an ACS Backup on the existing server.

Then restore the backup onto the new server.

There's one slight issue with this, in the registry there is always a host entry for the ACS server itself. After doing the restore, in the network config, you'll see an entry for the original ACS server - this one can be deleted.

Darran

New Member

Re: Moving ACS to a new server

Let me make sure about this. So you are saying i DON'T need to do an install at all. Just do a backup/restore and copy those files to the new server? Or do I still need to do an install and then restore the backup to the new server? What do you think about that config change? I am correct about that, I do beleive. This sounds pretty easy.

I'll let you know.

Thanks.

Silver

Re: Moving ACS to a new server

You definately need to do another install... otherwise you wont have anything onto which you can restore your config!

New Member

Re: Moving ACS to a new server

darpotter,

Thanks for your help so far. I went ahead and setup the new ACS server. It was very easy and presented no problems at all. However, When I point the firewall to the new ACS server I get 403 errors. The users aren't authenticating. The ACS and PIX are communicationg properly. However authentication is not occuring. One thing I noticed on the new ACS server is that the failed authentication reoprts (or any reports)are being written to.

Have you run into that problem before? I believe if the informatio will write to the reports, the problem will be solved.

Silver

Re: Moving ACS to a new server

Hi

whats in the failed attempts report?

New Member

Re: Moving ACS to a new server

I am getting a Reason 413. I have pasted a portion of the config below. The new_TACACS+ is the server I am trying to point to. As you can see, the VPNGROUP is pointing to the new ACS but nothing authenticates. The logging still occurs in the old ACS. Should I just remove the old ACS config??

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server new_TACACS+ protocol tacacs+

aaa-server new_TACACS+ max-failed-attempts 3

aaa-server new_TACACS+ deadtime 10

aaa-server new_TACACS+ (inside) host 192.168.172.11 $$TF_acs! timeout 10

aaa accounting match ACCOUNTING outside new_TACACS+

aaa accounting match ACCOUNTING inside new_TACACS+

vpngroup tfipsec address-pool ipsecpool

vpngroup tfipsec dns-server 192.168.172.11 192.168.169.20

vpngroup tfipsec default-domain travelfocus.com

vpngroup tfipsec split-tunnel vpn_in

vpngroup tfipsec idle-time 1800

vpngroup tfipsec authentication-server new_TACACS+

vpngroup tfipsec user-authentication

vpngroup tfipsec password ********

Silver

Re: Moving ACS to a new server

What is in the authen failure code column of the failed attempts report in ACS?

New Member

Re: Moving ACS to a new server

That is the problem. Nothing is being written to the logs. GRRRRR!!!! Cisco has informed me they have never seen this problem before.

Silver

Re: Moving ACS to a new server

OK, try setting the service logging level to max.

After that try a test authentication, then look in the CSRadius & CSAuth service logs files for errors.

Errors have an "E" in the message type field.

There should be a clue there somewhere.

419
Views
0
Helpful
9
Replies
CreatePlease login to create content