ACS with Checkpoint

Similar Messages

• 2 ACS with 2 CRA

  Hi All,
  We have installed 2 ACS with two CRA installed in AD1 & AD2.
  The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
  But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
  Can anyone help in this regard? I have the logs if required I can upload the same.
  Thanks in advance
  Sachi

  Most likely this is a permission issue.
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
  CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
  If you are already using admin account to run it then try using local system.
  Regards,
  ~JG

• Replacing ACS with ISE

  What is required to replace ACS with ISE in simple terms?
  I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
  I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
  Is there a limit to how many devices or users the base can deal with in its simplest form.
  I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
  thanks 
  dave

  yes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
  Software Packages
  Options
  Base
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Advanced
  Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Base license
  Term license: 1, 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Wireless
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wireless
  License prerequisite: None
  Term license: 1, 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Wireless Upgrade
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Wireless license
  Term license: 1, 3- and 5-year terms
  Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  ***Do rate Hekofuls posts***

• ACS with MySQL

  Hi, Is it possible to use ACS with mySQL database?
  regards
  Steffen

  Depends on what you mean.
  The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
  If you mean can you use mySQL for ACSs own internal database.. then no you cant.
  Darran

• Integrating ACS with DC

  Hi All,
  I am trying to integrate ACS with the DC, can anyone please try to get me the Document to follow,
  Thanks.

  Hi Abdul
  Check my response (last post) in following conversation.
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB?cmd=display_location&location=.2cbe94a0
  Regards

• ACS with Tivoli Identity Manager

  Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?

  Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.

• Integration of ACS with two different Domain in different forest

  Hi
  We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
  Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
  Thanks
  Ritesh

  It is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  HTH
  Jeremy

• Force Dehydration with Checkpoint Function

  I was reviewing the "what's new in 10.1.2.0.2" document and I saw a note about "Force Dehydration with Checkpoint Function". Where might I find some documentation on how to accomplish this? The only documentation in the users guide is the following:
  [start quote]
  Using Dehydration Points to Maintain Long-Running Asynchronous Processes:
  To automatically maintain long-running asynchronous processes and their current
  state information in a database while they wait for asynchronous callbacks, you can
  create a dehydration point. Storing the process in a database preserves the process and
  prevents any loss of state or reliability if a system shuts down or a network problem
  occurs. This feature increases both BPEL process reliability and scalability. You can alsouse it to support clustering and failover.
  You insert this point between the invoke activity and receive activity. Figure 6–1 on
  page 6-2 shows an example of a dehydration point in the loan application approver
  Web service.
  [end quote] (note, figure 6-1 does not really give any clues).
  I also found this little snippit on the forum and I am wondering if this is the feature being referenced or if there is a new way to accomplish a checkpoint?
  <bpelx:exec name="invokeJavaExec" language="java" version="1.4">
  <![CDATA[
  checkpoint()
  ]]>
  </bpelx:exec>
  Thanks,
  Greg

  right, checkpoint is a function that can be used inside embedded java code only. Exactly as shown in the code snippet, and will force the state to be dehydrated ..
  thx clemens

• ARP table clash with checkpoint and ASA firewal issue

  We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?
  nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5
  nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional
  nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional
  nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses
  nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23
  nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24
  nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25
  nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26
  nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1
  isxasa04/wwy-legacy# sho interface
  Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down
  MAC address 442b.0330.aba2, MTU 1500
  IP address 10.121.129.X, subnet mask 255.255.255.0
  Traffic Statistics for "core-inside":
  241633 packets input, 12094352 bytes
  44788 packets output, 3032584 bytes
  109732 packets dropped
  Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down
  MAC address 442b.0330.aba3, MTU 1500
  IP address 10.121.130.X, subnet mask 255.255.255.0
  Traffic Statistics for "VLAN130":
  1264203 packets input, 136452168 bytes
  326080 packets output, 69216516 bytes
  794035 packets dropped
  Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down
  MAC address 442b.0330.aba3, MTU 1500
  IP address 10.121.136.X, subnet mask 255.255.255.0
  Traffic Statistics for "VLAN136":
  374547 packets input, 23696109 bytes
  51186 packets output, 3324895 bytes
  173500 packets dropped
  Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down
  MAC address 442b.0330.ab9b, MTU 1500
  IP address 167.9.6.X, subnet mask 255.255.255.0
  Traffic Statistics for "internet-outside":
  352158 packets input, 17245425 bytes
  76888 packets output, 3872904 bytes
  12255 packets dropped
  Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down
  MAC address 442b.0330.ab9c, MTU 1500
  IP address 10.121.201.X, subnet mask 255.255.255.0
  Traffic Statistics for "internet-dmz":
  237795 packets input, 12460108 bytes
  40787 packets output, 2775684 bytes
  27378 packets dropped
  Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down
  MAC address 442b.0330.ab9e, MTU 1500
  IP address 10.121.140.X, subnet mask 255.255.255.0
  Traffic Statistics for "VLAN140":
  386931 packets input, 18807725 bytes
  48936 packets output, 3319712 bytes
  114417 packets dropped
  We crosschecked MAC addresses and this is what we found:
  Checkpoint ARP table:
  10.121.130.101 44:2b:3:30:ab:a3 3285
  ASA ARP table:
  isxasa04/wwy-legacy# sh arp | i 10.121.130.101
  VLAN130 10.121.130.101 001a.4b06.dd45 10525
  Server real address provided by processing:
  0x001A4B06DD45
  When we saw that the Checkpoints had a different/wrong entry we shut down all the physical ports on the new ASAs (except for failover and management);
  Kevin cleared the ARP table on the Checkpoints and problem was solved;
  Later I saw this:
  isxasa04# sh int | i MAC
  MAC address 442b.0330.ab9a, MTU not set
  MAC address 442b.0330.ab9b, MTU not set
  MAC address 442b.0330.ab9c, MTU not set
  MAC address 442b.0330.ab9d, MTU 1500
  MAC address 442b.0330.ab9e, MTU not set
  MAC address 442b.0330.ab9f, MTU not set
  MAC address 442b.0330.aba0, MTU not set
  MAC address 442b.0330.aba1, MTU not set
  MAC address 442b.0330.ab98, MTU not set
  MAC address 442b.0330.ab99, MTU not set
  MAC address 442b.0330.aba2, MTU not set
  MAC address 442b.0330.aba3, MTU not set

  The Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.
  Sent from Cisco Technical Support iPad App

• Nameidentifier claims is no longer in the token issued by Access Control Service(ACS) with newly created ACS

  Hi,
  In our existing ACS, when we add a new relying party with that associate with rule as bellow:
  input claim type as
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  and output claim type as
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  When I used the ACS created previously, for token I received, I have
  Received claims with existing ACS:
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier:           testoem2,
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:             TESTOEM2-MS,
  htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider:                htps://wp8partnerservicesv1-tst.accesscontrol.windows.net/
  but for the new ACS namespace, when I configure it exactly the same way, I receive
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:             TestOem2-MS,
  htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider:                htps://zackpartnerservice1-tst.accesscontrol.windows.net/'
  The nameidentifier claim is no longer in the token.
  Does anyone from Azure ACS team know what change in ACS might have cause this issue and how do I config the ACS so that I can get nameidentifier claim in the token too?
  since my account is not verified, I use h_ttp instead of http in my question.
  thank you,
  Zach

  Greetings, Zach!
  Please refer to this:
  https://msdn.microsoft.com/en-us/library/hh446535.aspx
  The article elaborates how federated identity works with ACS.
  Thank you,
  Arvind

• Using ACS with PIX/ASA

  Hi there,
  We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
  We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
  Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
  aaa-server XXXXX protocol tacacs+
  accounting-mode simultaneous
  reactivation-mode depletion deadtime 1
  max-failed-attempts 1
  aaa-server XXXXX inside host <SERVER>
  key <SECRET>
  timeout 5
  aaa authentication telnet console XXXXX LOCAL
  aaa authentication enable console XXXXX LOCAL
  aaa authentication ssh console XXXXX LOCAL
  aaa authentication http console XXXXX LOCAL
  aaa authentication serial console XXXXX LOCAL
  aaa accounting command XXXXX
  aaa accounting telnet console XXXXX
  aaa accounting ssh console XXXXX
  aaa accounting enable console XXXXX
  aaa accounting serial console XXXXX
  aaa authorization command XXXXX LOCAL
  Problems:
  Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
  Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
  PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
  1st Attempt = Server 1
  2nd Attempt = Server 2
  3rd Attempt = Server 3
  4th Attempt = Server 4
  This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
  With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
  “WARNING: Fallback authentication is configured, but reactivation mode is set to
  timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
  mechanism.”
  The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
  The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
  As RSA SecurID token can only be used once this fails and locks the account.
  Any ideas on how to make two of Ciscos leading security products work together better?

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• ACS with patch L 6 and Name column issue

  Has anyone experienced the following?
  My customer has used the migrate tool to migrate users from the ACS 4.2 to 5.3. He has also applied the patch level 6. However under the Identity Groups listed names (the Name column)- from some - to half of the name is missing [e.g lets say the name contains the following information: “Dimension Data”], after migrating only “Dimensi” to be seen.  He then removed the Patch Level 6 and reapplied with no success. Any advice or do I need to run to the TAC ••J
  Thanks a lot
  Lancellot Wendel

  Hi Tarik,
  thanks for the reply,
  with reg to the question
  "If you remove patch 6 and then migrate, does it work?"
  No it did not work either, well I guess I have to open a TAC case for this.
  thanks in advnace
  regards,
  lancellot

• Register Secondary ACS with Primary ACS 5.4 patch 6 and getting error

  Scenario #1:
  prodacs1 and prodacs2 version 5.4 patch 6 with IP address of 10.1.1.1/24 and 10.1.1.2/24, respectively.  
  Both prodacs1 and prodacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory
  and authenticate users to manage Cisco routers and switches without any issues.  prodacs1 is the Primary
  and prodacs2 is the Secondary.  BOTH prodacs1 and prodacs2 USE THE SAME LICENSE.  Both prodacs1 and
  prodacs2 are resolved in DNS for both forward and reverse lookup.  In this production environment, everything is working as expected.
  Scenario #2:  NEW deployment in the lab
  labdacs1 and labacs2 version 5.4 patch 6 with IP address of 192.168.1.1/24 and 192.168.1.2/24, respectively.  
  Both labacs1 and labacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory.  BOTH
  labacs1 and labacs2 USE THE SAME LICENSE as scenario #1.  Both labacs1 and labacs2 are resolved in DNS for both
  forward and reverse lookup.
  However, when I tried to add labacs2 into labacs1 so that labacs2 is the secondary and labacs1 to be the
  primary.  From labacs2 interface: System Administration >Operations >Local Operations >Deployment Operations,
  I enter the hostname/IP address, username/password of labacs1, then I click on "Register with Primary", I get
  this message:
  This System Failure occurred:  server cannot be added to the deployment.
  Server has same License ID as server labacs1 that already exists in the deployment.
  Your changes have not been saved.Click OK to return to the list page.
  Why is not working?  Furthermore, why is it working in one environment but not the other with the same
  idetical ACS version & patch.  Work in production environment but not other.
  Anyone has run into this before?  how do you fix this?

  What type of license are you using in first deployment?
  There are 2 type of licenses 
  Base license - Install a unique base license for each of the ACS secondary servers in the deployment.
  Large Deployment add-on license - It allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment, as it is shared by all instances
  Please check what type of license are you running in your deployment.
  In order to fix issue in your 2nd deployment you need reset-application config on your secondary, install the new unique base license (based on show udi) and register it to primary node to get the configuration replicated.
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• ACS with Vasco

  Hi,
  I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?
  My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.
  Thanks in advance for your help!
  Andy

  Hi Andy,
  To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:
  ACS:CiscoSecure-Group-Id = N
  where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37
  CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.
  Hope this helps,
  somishra