Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

User Password Not Replicated during ACS Replication

I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.

Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.

How to make sure replication is run even in case of user password change and not just when a user is added or removed.

8 REPLIES

Re: User Password Not Replicated during ACS Replication

Hi,

You can force replication to occur upon password change.

In the ACS GUI, go to System Configuration >

Local Password Management--->Remote Change Password----> Enable "Upon remote user password change, immediately propagate the change to selected replication partners"

Let me know if that helps !

Regards,

Jagdeep

New Member

Re: User Password Not Replicated during ACS Replication

I have tested that but that option is only available for:

"Note: This setting only applies to passwords changed using a User-Changeable Passwords HTML interface, CiscoSecure Authentication Agent, or a Telnet session on a TACACS+ device."

Any other idea why it is not doing it or how to do it?

Re: User Password Not Replicated during ACS Replication

Hi,

What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?

Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on

configuration/changes in Active Directory itself.

Regards,

Jagdeep

New Member

Re: User Password Not Replicated during ACS Replication

The users are local to Cisco ACS itself. However, the password is changed on the provisioning system, that in turn changes the password in Cisco ACS.

New Member

Re: User Password Not Replicated during ACS Replication

ACS version 4.0(27)

Re: User Password Not Replicated during ACS Replication

Hi ,

I'm not sure what do you mean by "password is changed on the provisioning system" ?

Regards,

New Member

Re: User Password Not Replicated during ACS Replication

We are using Tivoli Identity Manager. The TIM agent installed on the ACS uses the RDBMS feature to modify/add/delete accounts.

Re: User Password Not Replicated during ACS Replication

Hi,

I would suggest you to try it without using TIM and see if passwords are getting replicated.

If it does then it seems some compatiblity between TIM and ACS.

Let me know the outcome.

Regards,

199
Views
0
Helpful
8
Replies