ACS RDBMS issue

Hello guys,
actually I was happy founding the RDBMS function in AAA to get my hundred of aaa clients into the database, but now I am stuck with the a problem.
I would like to summarize some aaa devices in one AAA entry, which means it will have several ip adresses inside.
According to the RDBMS function I can only add 1 ip adress per csv-line. Is there no work around to push more in the aaa entry without adding them manually?
If I try by using several csv-lines with the same name, but different ips, I just get an error.
Thanks for your help!

You can not use several IP in one AAA client entry. But you have the following options,
1. You can define a NDG "network device group" and put the same type of AAA client into the group.
Or.
2. You can use "Wildcard asterisk" or IP range to include multiple IP address with one AAA client, like 10.1.1.* or 10.1.1.1-10.1.1.100.

Similar Messages

ACS replication issue on VMware ESX 3.5

I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
Thanks.

Hi,
I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
The primary server must be configured as an AAA server and must have a key.
The secondary server must have the primary server configured as an AAA
server and its key for the primary server must match the primary servers own
key. The shared secret key should be same on the both the ACS's.
I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
am sure this example with screen shots gives you better understanding.
Please visit the below suggested ULR:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
_example09186a00800e518a.shtml
If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
HTH
JK
-Plz rate helpful posts-

802.1x - ACS authentication issue.....

I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
Please help. I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.

Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

Cisco secure ACS - RDBMS Rename a Group-

Hi,
I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
1,0,TESTuser,,100,,,,,,0,,,0
2,0,TESTuser,,102,,test,,,,0,,,0
Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
3,0,TESTuser,Group 30,106,,,,,,0,,,0
But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
Thank you
Regards
Pascal TOURNIER

Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,1,,Group 100,210,,BPM,,,,0,,,0
2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
5,5,,Group 104,210,,CTS,,,,0,,,0
6,6,,Group 105,210,,DCI,,,,0,,,0
line 1
Rename "Group 100" to named group "BPM" using code 210 to perform the Action
Gerald

ACS RDBMS adding NDG with Shared Secret

I have an ACS 4.2 on a SE 1113 and I am using RDBMS to add Network Device Groups. I am able to create the group, but I would like to set the Shared Secret for the group. I am using the action code 250 to add the group but I can not see a way to set the Secret. I can modify the Secret after creating the group using the GUI but it would be better to do it all with RDBMS. Are there any other action codes that can be used on NDGs?
Thank you.

Per NDG shared secrets came after NDG addition via dbsync. It looks like this has not been retro-fitted to dbsync.
This is quite typical as dbsync is the poor unloved child of ACS.

ACS Replication Issue

Yesterday we had two ACS 4.0 servers installed on Windows 2000 Domain Controllers that were working great. ACS1 was the primary server and replication was configured to send to ACS2. ACS2 replication was configured to receive from ACS1.
We lost ACS2 yesterday so I installed ACS 4 on a 2003 Domain Controller (ACS3). I installed ACS3, went into network configuration and added ACS1 as an AAA server.
I then logged onto ACS1 and added ACS3 as an AAA server and configured ACS3 as a replication partner.
It is not replicating - if I look at the log I get
ERROR, ACS 'ACS3' has denied replication request
I do not have the primary as a replication on the secondary.
I have some screen shots of the configuration from ACS2 and I've duplicated everything I've could (except for name and IP).
Any ideas on what I can try next?

I had what seems to be the same issue.
In my case I have two ACS SE 1113 appliances, but the issue could still be the same with your Windows servers.
The appliance has two NIC's - I had both of the NIC's connected. Although the appliance only allows you to use the Primary NIC (the bottom one) ACS still detected the Secondary NIC and creates an additional "AAA Server" entry under the "Network Configuration" tab called "self". You should only have one "self" entry in your AAA Server list, not two.
Unfortunately I couldn't find a way to undo this. So I disconnected the Secondary NIC (the top one) and used the recovery CD to reload both of my ACS devices. Now everything works just fine.
- Nate

ACS error issue

Hi All
My customer is having a strange issue with his ACS.
the current error is as follows
ShellProfile,12/03/2012,13:18:26:709,ERROR,3058101152,NIL-CONTEXT,DeviceAttrFactory::createAttrValue with marker
= *,DeviceAttrFactory.cpp:29
Also when he tries to create show run he gets the following error however, the config does get created.
% Error: acs manifest has no TAC information
before I run to the TAC, has anyone experienced this, i was not able to find anything on the net, not even spam link
Absolutely 0
thanks in advance
lancellot

Aamir,
I'm sure you've got this resolved still adding my inputs in case someone else facing the same issue.
The reason why you're seeing this error message
22043 Current Identity Store does not support the authentication method
because LDAP doesn't support PEAP-MSCHAPv2. It only supports PAP in non-EAP requests and EAP-TLS, EAP-GTC and PEAP-GTC in EAP requests.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide
/eap_pap_phase.html#wp1014889
If you can't change the EAP flavor in your network, then you can migrate to Active directory as it supports peap-mschapv2.
~BR
Jatin Katyal
**Do rate helpful posts**

ACS RDBMS Synchronization

I have been reviewing the ACS 4.0 documentation and want to know if there are any options available for synchronizing the DB using ODBC on the Solution Engine. Looking for something other than FTP, if available.

Like Jeff said - not supported.
The reason is because ODBC can require a 3rd party driver and the appliance is "hard".
Although common ones could be loaded, there tends to be regular security vulnerabilities (esp in jet) that would require constant patching/updating.
Of course you can still manage DBSync in your own DB, you just need to export to csv to get it actioned.

ACS CERTIFICATE ISSUE

Hi
We have Cisco AP's set up around our buiding. This is controlled by our WLC. We also have a Cisco ACS server set up. Some of our domain users are able to go our customers sites which are on different domains and are able to gain access to thier own home domains by logging on with laptops. I know the customers IT department are using RADAIUS and ARUBA Wireless.
I have been asked if we can allow customers to come to our office and allow then to log onto thier laptops, connect remotly through our wireless and let them connect to thier domain.
I believe this is possible through the ACS server, The ACS server would have the customer domain name configured in user and identity, Radius identity servers. The user would log in and authentication and would be directed through a different vlan to the cust AD.
I have set up a test WAP on our WLC, Logged in with a laptop which is running windows 7 that does not belong to our domain. The ACS can see this but will not grant access. I believe that this is a certificate problem.
Are there any settings that I may have missed or can anyone shed any light or advice on this please.
Thank you
Regards

Jayesh,
You can use the radius proxy feature in ACS, when the external users connect you can build a rule such that "username ends with external.com" to use the radius proxy server "A". you will need to build the proxy connect with their radius server.
Thanks,
Tarik Admani
*Please rate helpful posts*

ACS UCP Issue

I have ACS , IIS & UCP installed on same Windows 2003 server. UCP was installed recently. IIS configuration was done before UCP installation.
After installation I tried to access UCP via the URL http://localhost/secure/login.htm
I get the login prompt. When i enter username and password, i am getting "page cannot be displayed" webpage. Please let me know resolution for the same.

I am running into the same situation.
I have windows 2003 running ACS version 4.0.1.
The ISS server is running and serving web page.
ACS 4.0.1 and IIS run on the same server
I followed the instructions steps-by-steps in
the release notes. When I type https://server/secure/login.htm, I can see the
UCP page. However, after I type in the username
and password, I got this link:
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
Please try the following:
Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
I make everything under c:\inetpub\wwwroot\
FULL control to EVERYONE. I am at a lost here
can someone help? The link provided above did
not work for me either. The windows 2003
is a stand-alone box.
Thanks.

ACS performance issues

Hi all,
I wonder how to increase performance for ACS reporting in our SCOM 2012, we have the reporting server installed on the management server and the ACS database on another server.
When we try to open a report with ACS, it is taking long time and for one day and exporting it takes too long with no luck.

Hi,
this is a very broad question and
there is no easy answer.
From a high level view we are talking about at least three things:
SQL DB Engine performance,
Reporting Services performance,
Query performance.
You can find a lot of articles on this
topic here are just a few:
SQL DB Engine
http://blogs.msdn.com/b/indrajit/archive/2013/12/12/sql-server-database-engine-performance-tuning-basics.aspx
SSRS
http://blogs.msdn.com/b/sqlcat/archive/2013/10/30/reporting-services-performance-and-optimization.aspx
http://technet.microsoft.com/en-us/library/bb522786.aspx
http://www.sqlservercentral.com/Tags/Reporting+Services+(SSRS)/Performance+Tuning/
http://www.mssqltips.com/sqlservertip/2328/sql-server-reporting-services-reports-performance-debugging-and-analysis/
Regards,
Ivan

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

ACS 5.3 Dot1x for Wired/Wireless

Hi Community,
I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
My questions are
1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
2.       If Yes can someone point out to any good docs that can help ?
Regards,
Hammad

Hi Jatin,
Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
#$cation sessions interface tenGigabitEthernet 1/1/12
           Interface: TenGigabitEthernet1/1/12
         MAC Address: 28d2.4421.109c
           IP Address: 10.160.193.100
           User-Name: ABC\shuser
               Status: Authz Success
               Domain: DATA
     Security Policy: Should Secure
     Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
       Authorized By: Authentication Server
        Vlan Policy: N/A
             ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
     Session timeout: N/A
         Idle timeout: N/A
   Common Session ID: 0AA000010000010548A006AC
     Acct Session ID: 0x000007A4
               Handle: 0xA1000106
Runnable methods list:
       Method   State
       dot1x   Authc Success
CS01#
CS01#
CS01#$cation sessions interface tenGigabitEthernet 1/1/12
           Interface: TenGigabitEthernet1/1/12
         MAC Address: 28d2.4421.109c
           IP Address: 10.160.193.100
           User-Name: host/TESTPC01.sportshub.com.sg
               Status: Authz Failed
               Domain: DATA
     Security Policy: Should Secure
     Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
       Authorized By: Authentication Server
         Vlan Policy: N/A
     Session timeout: N/A
         Idle timeout: N/A
   Common Session ID: 0AA000010000010648A11C04
     Acct Session ID: 0x000007AD
               Handle: 0x61000107
Runnable methods list:
       Method   State
       dot1x   Authc Success
================================
SWITCH PORT CONFIG:
int ten1/1/9
switchport mode access
dot1x pae authenticator
dot1x port-control auto
authentication host-mode multi-auth
authentication violation restrict
dot1x timeout tx-period 10
dot1x timeout quiet-period 20
authentication timer reauthenticate server
dot1x max-reauth-req 3
Regards,
Hammad

How to grant or deny access to RDBMS based on ODBC ?

Hello ,
Is it possible to have a logon-trigger that c denies access to the database when trying to connect with ODBC?
Erwin

> Also our standard here is that no one can access with odbc, but for the
moment we can not control it.
Basic management says that one does not create a rule that one cannot enforce.
Why is ODBC a problem? And why make it Oracle's problem?
Oracle does not care what client driver the client uses. It does not care what language the client is written in. It does not care what o/s and o/s version the client use.
Nor does Oracle security.
It honestly makes no sense at all to have Oracle police your ODBC "standard". Fact. It cannot be effectively policed by Oracle as it is a client side issue and not a server (RDBMS) issue.
I would look at why there is this no-ODBC standard. What is the actual/real problem? Once that is identified then one can look at a solution. And yeah, Oracle may play a role in this by correcting and properly implementing security in Oracle... but it can by no means be the cop that controls what end-user software a client runs when connecting to the database.
And this deals with basic security fundamentals. Violate these at your own risk.

Acs se aaa server problem

HI
I have installed acs se for peap authenetication in a wireless network .
however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
Pls help me to get this fixed

Hi.
The name of the ACS SE listed in AAA Server section is "self".
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
"In ACS SE, the name of the machine is listed as self."
"deliverance1" is the default ACS SE name(hostname).
Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
In order to correct this issue, follow following steps:
[1] On ACS hardware/appliance go to,
Reports and Activity > Appliance Status Page >
From "NIC Configuration", copy the IP address of the ACS SE.
Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
Note down the "Name" against the Ip address of the ACS SE.
Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
[2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
Establish Serial Console connection to ACS SE,
Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
[3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
Now, the correct IP address will be associated with the correct hostname.
Regards.
Prem

ACS RDBMS issue

Similar Messages

Maybe you are looking for