ACS primary to AD

ACS primary can join AD but ACS secondary cannot join AD.
ACS 5.5  already deployment and status is update primary and secondary. When ACS primary can join AD but ACS secondary cannot join AD. If force ACS secondary join direct to AD can join is normally.
Please help investigate.
Thank you
Parinya K

That sounds like the option is not enabled under the EAP Fast config.  You should be able to enabld it and test.
As for the PAC, that comes from the ACS not the WLC, so you shouldn't be prompted for a new PAC.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Similar Messages

  • ACS primary/ secondary config

    we have 4 ACS in the system: 
    +) In HQ, we have 2 ACS: 1 primary and 1 secondary ACS
    +) In Branch office, we have 2 secondary ACS
    I suppose Primary fail, could one of secondary ACS automatic become primary so all other ACSs can continues replicate from that one ?
    If not, when primary fail, we have to go each secondary and deregister. After that we choose one of 3 ACS as primary and register to that one ?
    Thanks
    Duyen.

    Hey Duyen,
    so you are only care about replication? right?
    unfortunately if primary fails in replication there is no way for any secondary to take the role of primary and replicate to others (this is in ACS 4.x only. I don't know about 5.x).
    So what you need to do is just what you metnioned, to go to each ACS server, configure one of the secondaries as primary and configure others to replicate from this new primary one.
    Regards,
    Amjad

  • [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

    Hi,
    I got many Cisco AP which are linked to 2 Cisco WLC.
    On each WLC, I configured a primary and a secondary RADIUS Server.
    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
    Primary and secondary ACS configurations are synchronized.
    There are no problem between primary WLC and Cisco ACS (primary and secondary).
    When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
    Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
    Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
    The two Cisco ACS are synchronized so I should have same error on them...
    Why does primary ACS generate this error?
    Thanks for your help,
    Patrick

    Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
    *Please rate helpful posts*
    Yes. That is a good point.
    With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
    The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
    Rating useful replies is more useful than saying "Thank you"

  • ACS verison 3.3

    hi, in our environment we have Cisco ACS v3.3 in windows 2003 and trying to upgrade it ACS v4.1.4. but found the data replication from v3.3 to v4.1.4 is causing a issue.
    Pls let us know is there way to do data replication with this different code.
    thanks
    Gopinath V

    Hi Gopinath,
    For replication process, the primary & secondary servers should be in same version.
    Kindly upgrade primary & secondary to 4.1.4 and initiate the replication.
    Snippets from User Guide:
    "All ACSs that are involved in replication must run the same release of the ACS software. For example,
    if the primary ACS is running ACS version 3.2, all secondary ACSs should be running ACS version 3.2.
    Because patch releases can introduce significant changes to the ACS internal database, we strongly
    recommend that ACSs involved in replication use the same patch level."
    If both ACS (primary & secondary) are in same version and still your are facing some issues, let me know.
    Thanks,
    Srividhya

  • WCS question

    Guys currently we have one ACS server for all wirless authentication.....we are putting another one for redundancy....i will be config replication from primary to secondary.....while i was suring arojund in WCS i have noticed that when adding another authentocation server it asked abt shared secret.....now where i can find that in ACS....or shd i copy and past the exsisting one from primary ACS.......guys i am stuck plz help me

    Thanks for your prompt reply.....now i will explain bit more as reading the doco didnt solve my problem.....the WCS server which i connect through web has all access point listed all over country's offices...so it has a list.....they all do authentication from ACS primary which authntoicate them with windows AD.....now i went to primary ACS server all the Access point are listed but the server address is not there from which i can add things for all Acesss points so i guess it a managment server.....now i will be putting redundant ACS i have already installed the server and as recommended by cisco i have already ping all the access point across and it works now when i will do replication i will get all the info from primary ACS server......i am thinking plz correct me if i am wrong i will add secondry ACS in authentication list servers in WCS and will apply to all of the wirless access points am i right or wrong???? there when i was making a second templete it ask abt password and shared secret what shd i put in.....swhd i copy from primary ACS which is already present in WCS and paste it in secondaty as well???? i am confuse abt this plesase help me out thanks

  • Cisco ACS register to primary with different acs versions

    Hello, I've updated a backup unit of two acs to  version 5.4.0.46.0a first I changed it to standalone, and now I try to register to the main ACS which is running version 5.1.0.44.2
      And I get this error
    This System Failure occurred:  com.cisco.nm.acs.im.certificate.Certificate; local class incompatible: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved.Click OK to return to the list page.
    What can I do to solve it?
    Kind regards

    The primary and secondary should be running on the same code.
    Jatin Katyal
    - Do rate helpful posts -

  • Register Secondary ACS with Primary ACS 5.4 patch 6 and getting error

    Scenario #1:
    prodacs1 and prodacs2 version 5.4 patch 6 with IP address of 10.1.1.1/24 and 10.1.1.2/24, respectively.  
    Both prodacs1 and prodacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory
    and authenticate users to manage Cisco routers and switches without any issues.  prodacs1 is the Primary
    and prodacs2 is the Secondary.  BOTH prodacs1 and prodacs2 USE THE SAME LICENSE.  Both prodacs1 and
    prodacs2 are resolved in DNS for both forward and reverse lookup.  In this production environment, everything is working as expected.
    Scenario #2:  NEW deployment in the lab
    labdacs1 and labacs2 version 5.4 patch 6 with IP address of 192.168.1.1/24 and 192.168.1.2/24, respectively.  
    Both labacs1 and labacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory.  BOTH
    labacs1 and labacs2 USE THE SAME LICENSE as scenario #1.  Both labacs1 and labacs2 are resolved in DNS for both
    forward and reverse lookup.
    However, when I tried to add labacs2 into labacs1 so that labacs2 is the secondary and labacs1 to be the
    primary.  From labacs2 interface: System Administration >Operations >Local Operations >Deployment Operations,
    I enter the hostname/IP address, username/password of labacs1, then I click on "Register with Primary", I get
    this message:
    This System Failure occurred:  server cannot be added to the deployment.
    Server has same License ID as server labacs1 that already exists in the deployment.
    Your changes have not been saved.Click OK to return to the list page.
    Why is not working?  Furthermore, why is it working in one environment but not the other with the same
    idetical ACS version & patch.  Work in production environment but not other.
    Anyone has run into this before?  how do you fix this?

    What type of license are you using in first deployment?
    There are 2 type of licenses 
    Base license - Install a unique base license for each of the ACS secondary servers in the deployment.
    Large Deployment add-on license - It allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment, as it is shared by all instances
    Please check what type of license are you running in your deployment.
    In order to fix issue in your 2nd deployment you need reset-application config on your secondary, install the new unique base license (based on show udi) and register it to primary node to get the configuration replicated.
    Regards,
    Jatin Katyal
    **Do rate helpful posts**

  • Secondary ACS 5.1 fails to Deregister, after IP change on Primary

    IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
    Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload  -
       apparently because it cannot reach the Primary at its old IP address. 
    Requesting Deregister in GUI generates pop-up that says,  "This operation will deregister this ACS Instance from the Primary Instance.
         Management applications on this ACS instance will be restarted and you will be required to login again.  After performing this operation
         please wait five minutes for this restart to complete.
         Do you wish to contine?"      [ OK ]
    But, checking back after 10 minutes -- or even the next day  --  finds the Secondary's status unchanged.
    Also tried Local Mode, Deregister from Primary;  this also fails.
    Does anyone have HOWTO URL on a total rebuild of ACS application?  
    Both ACS are CACS-1121-K9   running 5.1.0.44.4.
    Thanks in advance for any help...
    ***  UPDATE:  ***
    Recommended command,  "application reset-config acs",    was _exactly_ what was needed. 
    jrabinow  -   many thanks!    :-)
        also, thank you for mentioning that the license would be required, so that I could locate it in advance and have it ready.
          Since there were no local certs on the server, we did not need to re-install those.

    Since this is a secondary it should not have too much in terms of specific configuration
    Therefore one possibility is to reset the configuration so it once again becomes just a standalone node and then regsiter back to the deployment as is done for any new node and as you previosuly registered it
    reset configuration can be done using the following command at the CLI:
    application reset-config acs
    Note that after you reset the configuration you will need to reinstall the license so make sure you have this to hand
    Also if you has installed a server certificate for the secondary server you would need that too

  • Unable to login to Switch & Router through secondary Acs ,when primary ACS is down.

    Dear All,
      i have configured primary ACS in DC data center and secondary ACS in DR data center, i have configured replication , and it is working well, but when we put down primary ACS , we are unable to login in switch and router through secondary ACS , i ahve  dedicated link between core dc sw to core dr sw through which all traffic is getting replicated . All user , mgmt vlan are created in FWSM firewall.Kindly help.
    Regards
    Amit Kulshrestha

    Hi Bro
    I'm assuming you've configured your ACS correctly and the Cisco network devices correctly. Perhaps, this could be a bug. The reason I say this is because last week, I was implementing 2 units of Cisco ACS 1121 v5.3 (in HA mode) for a client, and i had similar issues myself. When I down the primary ACS, I'm unable to login to my network devices, eventhough my secondary ACS is UP and PINGable from all network devices.
    Hence, I downloaded and applied the latest cummulative patch from the CCO website 5-3-0-40-4.tar.gpg (Release Date: 27/May/2012) and my problem solved.
    Perhaps, your ACS version isn't 5.3, but the morale of the story here is, maybe patching is required for your case!!
    Please do let me know the outcome. May the force be with you, bro!

  • Configuring ACS (windows) primary on new server

    we have primary and secondry acs severs. suddenly replication between primary and secondry is not happening. I am unable to troubleshoot this, so we have decided to install and configure acs freshly. but almost 350 devices are configured in network device groups. reconfigure the entire network database is difficult and time consuing.
    Is there any method to copy the NDGs to new server.
    help will be greatly appreciated.

    Can be done via RDBMS,
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SCAdv.html#wp756877
    Let me know if you have any question.
    Regards,
    ~JG
    Do rate helpful posts

  • Installing single SSL certificate on primary/secondary ACS boxes

    I am trying to install the same SSL certificate I have installed on my primary ACS on my secondary ACS. I have replication configured and working between the two. The primary is the ACS appliance. The secondary is windows v3.3. The problem is the secondary ACS does not know about the private key file created during the CSR so I get an error when I try to install the certificate. So, what do I have to do to get around this? Obviously the certificate information is not copied over during replication. Is there a way to import it over manually?
    Can I install the same certificate or do I need to do a separate CSR and install a separate certificate?

    Yes you can use same cert for both the acs. On appliance download the cert and pvk file on your FTP root.
    Move both files to acs windows and upload the certs and pvk file. Retype the private key (you need to remember it )
    On windows acs--->install new cert---->use Read certificate from file--->put the location of cert like D:\Jar.cer
    Give the location of Private key file---->D:\prv.pvk-----> Type the pvt key --->submit.
    Regards,
    ~JG
    Do rate helpful posts

  • Primary Cisco ACS - Invalid Administration Connection

    Is it possible to change Access Policy from command line?

    Access policy can't be modified from CLI. This could be computer specific issue. Have you tried accessing ACS GUI page from different machines?
    If its machine specific issue then you may check few things
    If we are using Proxy server then make sure that the proxy server's ip address is allowed, check the proxy server settings from:
    Pull up a web browser > Tools > Internet Option > Connections > LAN Settings
    Make sure that we have JAVA installed, and also go to Control Pannel > choose JAVA> Network Settings > And make sure its using browser settings.
    Also, if its working from other machines, I would suggest you to use the HTTP port allocation feature to configure the range of TCP ports
    that ACS uses for administrative HTTP sessions.
    HTTP Port Allocation for Administrative Sessions:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/Overvw.html#wp821288
    Regrads,
    JK
    Plz rate helpful posts-

  • ACS 5.3 - Error when changing Device group or Location

    I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
    This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
    it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
    Cisco Application Deployment Engine OS Release: 1.2
    ADE-OS Build Version: 1.2.0.228
    ADE-OS System Architecture: i386
    Copyright (c) 2005-2009 by Cisco Systems, Inc.
    All rights reserved.
    Hostname: ACS1
    Version information of installed applications
    Cisco ACS VERSION INFORMATION
    Version : 5.3.0.40
    Internal Build ID : B.839
    I'm suspecting it a read/write issue with the database or a database corruption. Can anyone enlighten me on how to fix it please ?
    I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
    ACS1/admin# show application status acs
    ACS role: PRIMARY
    Process 'database'                  running
    Process 'management'                running
    Process 'runtime'                   running
    Process 'view-database'             running
    Process 'view-jobmanager'           running
    Process 'view-alertmanager'         running
    Process 'view-collector'            running
    Process 'view-logprocessor'         running
    Mel

    Does this happen to small number of network devices or the whole set
    If the former then I found the following CDETS
    CSCtw59271    Random Network Device corruption after upgrade from ACS 5.2 to 5.3
    Which includes the following workaround
    Symptom 1: Delete and re-add the AAA client
    Symptom 2:Modify the TACACS+ shared secret of the Network Device, re-enter the same key and save the Network device.
    >>>> Use case where TACACS+ was used
    There are some important fixes related to upgrade issues in patch 5 and later for ACS 5.3. While these do not relate to NDs I do recommend installing this patch

  • ACS 5.3 - How to copy DB to a new instance of ACS 5.3

    I need to copy an existing ACS 5.3 database to another instance of ACS 5.3 that I've deployed.  I can't set up a primary/secondary between these two and do the deed via replication.  So it's going to have to be a export/import or a backup/restore.  I've been searching for days for a solution to what surely is a trivial task.
    Does anyone have any hints on how to do this?  Either the CLI or the GUI is fine with me.  I feel like an idiot...
    -drh

    Hello,
    You are not idiot at all. This is a problem that I was facing myself (not exact issue but very similar).
    Now, I think there is no supported way to move the DB itself in cisco docs. There is a way where you can copy the DB files via FTP from the old machine and restore them in the new machine. That will need a root patch to have a root access to both boxes.
    If you are authorized to open TAC cases then please directly do because they know better about the steps.
    But I am thinking about one thing, You can build your new ACS servers from scratsh and put them up on the network then remove the old machine. Keep the old machine up without putting it on the network so that you can access it the time you need.
    Let the new DB grow on the new server and after a few months you can just remove the old machine because you don't want that DB anymore (if you are keeping the DB on the old machine and it was operational the old data will be deleted anyway as per your retention period you configure on the ACS).
    So, I suggest (which is easier for you of possible) to keep the old machine running with access to the DB and install new servers and keep their own DB. After the retention period passes and you don't want the old data anymore just remove the machine.
    one other way (did not try it at all) is to take a full view DB backup from old machine and then configure same repository on the new machine. The full backup file may appear on the "Resotre" page where you can choose it and restore (I am not sure if old and new machines need to be with same hostname for the file to appear. you try it anyway it may work).
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • ACS 5.3 not processing changes

    Hello,
    We have Cisco ACS 5.3 and it was set up with all the rules, users, groups etc and it worked really well from the get go. The problem we are having now is that since we've set it up, not much changes need to be made often and when we do try to make a change, ACS seems to not be recognizing the change.
    Under : (Access Policies > Access Services > Default Device Admin sdsff> Authorization) 
    I've created a new rule to allow a new group of users to access a specific device type and ACS is not showing any hits to the counter. I've had a similar error before and restarting the box solved it but I would really not want to think that each time we need to make a change I'll have to restart the box. All the processes are running.
    ACS01/admin# show application status acs
    ACS role: PRIMARY
    Process 'database'                  running
    Process 'management'                running
    Process 'runtime'                   running
    Process 'view-database'             running
    Process 'view-jobmanager'           running
    Process 'view-alertmanager'         running
    Process 'view-collector'            running
    Process 'view-logprocessor'         running
    Is there anyone experiencing a similar error or knows how I can fix it?

    Hi Alain,
    Do still tryed a ldap browser, to see if you have access with you internal user to your AD ?
    Maybe your user is not assign as wel in your AD ?
    We had the same problem in our labo, you know
    http://www.ldapbrowser.com/
    Succes

Maybe you are looking for