Adding secondary ACS server

Similar Messages

• Adding secondary ADFS server to farm fails with Could Not Load Assembly error

  Hi all,
  I have two servers running Server 2012 R2.
  There are two AD sites, in site 1, I have the primary ADFS server running on a member server.  In site 2 I have a secondary ADFS server running on the only DC in the site.  There will be WAP servers publishing these servers in either site.
  I successfully set up the first ADFS server in site 1, and this is working ok.  However, when I set up the server in site 2 I get the following error during the prerequisite checker:
  Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.
  Unable to retrieve configuration from the primary server. Could not load file or assembly 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. Access is denied.
  I ran this as my domain admin account and also as domain\administrator which is seldom used.
  When I run the resulting PowerShell script, I get errors relating to the GSMA, so not sure if that is where my issue lies.  Here is the script:
  # Windows PowerShell script for AD FS Deployment
  Import-Module ADFS
  # Get the credential used for performaing installation/configuration of ADFS
  $installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration."
  Add-AdfsFarmNode `
  -CertificateThumbprint:"Thumbprint Here" `
  -Credential:$installationCredential `
  -GroupServiceAccountIdentifier:"DOMAIN\STSSvc`$" `
  -PrimaryComputerName:"machine.domain.net"
  I tried using the FQDN of the ADFS server as well as the common name of sts.domain.net, neither worked.
  Any suggestions?
  Andrew Hodgson

  Hi,
  Thanks for your post.
  According to the error message, it is more about permission issue.
  Please refer to this artile about how to resolve the error "Could not load file or assembly or one of its dependencies. Access is denied"
  http://blogs.msdn.com/b/sayanghosh/archive/2007/04/21/solution-to-could-not-load-file-or-assembly-or-one-of-its-dependencies-access-is-denied.aspx
  Regards.
  Vivian Wang

• AAA / Adding additional ACS server

  Hello Guys,
  Need to setup AAA proposed plan as attached.We have been using current setup since very long for both our office devices and data centre devices.Now we wanna to add one more ACS apart from the existing two and need to point out all the data centre devices to this new ACS server.
  Is it possible to configure multiple groups for multiple devices and seperate ACS server's for defined groups ? If possible please let me know the commands and if not, please let me know the alternate ways.
  Hope you could understand my requirements and current setup. PFA..
  Many Thanks in advance !!
  Best Regards,
  Anurag.K

  Hi Anurag,
  You can add the new ACS/tacacs server and have that server in top of the sequence.
  tacacs server host 10.16.2.10
  tacacs server host 10.16.2.8
  tacacs server host 10.16.2.9
  tacacs server key xxxxx
  If you really want to create a seperate group for the new ACS/tacacs server then you need to have below listed configuration.
  aaa group server tacacs+ GROUP1
  server 10.16.2.8
  server 10.16.2.9
  aaa group server tacacs+ GROUP2
  server 10.16.2.10
  aaa authentication login default group GROUP1 GROUP2 line
  Let me knoiw if you have any doubts.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Adding Secondary DNS entry in server, but Changes didnt take effects

  Hello.
  we have two servers, at time of installation we didnt configured ADC+secondary Dns in our network, so these servers were configured with only DC and Primary DNS server IP. later on we built ADC with secondary DNS, now when we add ADC+secondary DNS
  IP to these server it demands restart. and after restarting no changes made. means it didnt add  the secondary dns ip.
  Please advise

  Hi,
  Maybe you need to registry the secondary DNS server under Networks in the
  Windows Azure management portal. In addition, it seems that you also need to add the secondary DNS server in the
  DNS Servers and VPN Connectivity page.
  More information:
  Setup a Windows Server 2012 R2 Domain Controller in Windows Azure: IP Addressing and Creating a Virtual Network
  Install a Replica Active Directory Domain Controller in Windows Azure Virtual Networks
  In addition, according to the article below, it seems that you can use Powershell to make change in
  .NETCFG files to achieve that.
  Editing DNS in Windows Azure
  Note: Microsoft is providing this information as a convenience to
  you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best regards,
  Susie

• ACS database not functioning after changing secondary acs ip.

  Hi.. im having 2 ACS 3.1 server. ACS01 (Primary) & ACS02 (Secondary). Recently we have moved ACS02 to another site and changed its ip address.
  When we do database replication from ACS01, we received error message saying that ACS02 has denied replication request.
  Any idea whats may be the problem ?

  Consider these points when you implement the Cisco Secure database replication feature:
  1) ACS only supports database replication to other ACS servers. All ACS servers that participate in Cisco Secure database replication must run the same version and patch level of ACS.
  2)The primary server transmits the compressed, encrypted copy of its database components to the secondary server. This transmission occurs over a TCP connection, with port 2000. The TCP session is authenticated and uses an encrypted, Cisco-proprietary protocol.
  3)Only suitably configured, valid ACS hosts can be secondary servers. To add a secondary server, configure it in the AAA Servers table in the Network Configuration section of this document. When a server is added to the AAA Servers table, the server appears for selection as a secondary server in the AAA Servers list under Replication Partners, on the Cisco Secure database replication page.
  4)The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.
  5)Replication to secondary servers takes place sequentially in the order listed in the Replication list under Replication Partners, on the Cisco Secure database replication page. 6)The secondary server, which receives the replicated components, must be configured to accept database replication from the primary server. To configure a secondary server for database replication, refer to the Configuring a Secondary Cisco Secure ACS Server section of this document.
  7)ACS does not support bi-directional database replication. The secondary server, which receives the replicated components, verifies that the primary server is not on its Replication list. If not, the secondary server accepts the replicated components. If so, it rejects the components.
  8)To replicate user-defined RADIUS vendor and vendor-specific attribute (VSA) configurations successfully, the definitions to be replicated must be identical on the primary and secondary servers. This includes the RADIUS vendor slots the user-defined RADIUS vendors occupy. For more information about user-defined RADIUS vendors and VSAs, refer to the User-Defined RADIUS Vendors and VSA Sets section of the document Cisco Secure ACS Command-Line Database Utility.

• ACS Appliance User DB to new non-appliance ACS server

  Is it possible to replicate an ACS appliance user DB and replicate it on a new non-appliance ACS server. We're adding additional ACS servers and don't want to re-create all the groups and mappings. Think of it as ghosting an appliance and restoring it on a new server. Thx

  Here is the link,
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml
  Here is the troubleshooting check list, in case you face any issue,
  1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication
  2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.
  3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.
  4) Ensure that the secondary server has it's replication scheduling set to "manual".
  5) Please verify that your servers are all running exactly the same ACS version and build.
  6) Also let me know if we have any firewall in between two acs servers.
  Regards,
  ~JG

• ACS server is not pingable

  Hi,
   I have configured SNS server 3415 for ACS server and assigned an ip address through the first setup command, after that i have assigned my laptop an ip from the same subnet of ACS, tried to access or ping it with no luck, i have disabled the internal FW and antivirus in my lapop.
  I have also turned on the ICMP echo and tried to browse through https and http as in the following with no luck
  Https:/192.168.1.1/acsadmin.

  ihave added  router ip & hostname as aaa clients,
  aaa configuration has been done on Device ,the router is pingable from Acs server, but its not authenticating ,
  local user is still active, what could be the issue.the following configuration is givenaaa new-model
  aaa group server tacacs+ NACS_Group1
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default none
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 defaultgroup start-stop group tacacs+
  aaa accounting commands 15 defaultgroup start-stop group tacacs+
  aaa session-id common
  ====
  tacacs-server host Primary IP timeout 5
  tacacs-server host SEcondary IP  timeout 5
  tacacs-server directed-request
  tacacs-server key 7 104D000A061843595F
  Hi,
  Are you getting any failed attempt messages on cisco ACS when ever you are trying to telnet or ssh on router and have you configured the following command on line vty also
  line vty 0 4
  login authentication groupname
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• ACS 'SERVER has denied replication request

  Trying to replicate 2 ACS servers and I get the follwing error.
  ACS 'Server' has denied replication request
  10/30/2007 22:09:49 INFO Outbound replication cycle completed
  10/30/2007 22:09:49 ERROR ACS 'Server' has denied replication request
  10/30/2007 22:09:48 INFO Outbound replication cycle starting...
  ANY HELP out there this late please?

  Further adding to somishra suggestion,
  ) Make sure that you are not replicating over NAT. Replication over NAT does not work
  because the IP is used as part of the server authentication
  2) Next, check to make sure that you are not sending or receiving the distribution table.
  On the primary server, the distribution table should not be checked in the send list, and
  on the secondary, the distribution table should not be checked for receive.
  3) Then I would like you to check in the secondary server's partner list, to make sure
  that the primary is not listed. You should not enter the primary server into the partner
  list on the secondary server. However, the primary server should have all secondary
  servers listed in its partner list.
  4) Ensure that the secondary server has it's replication scheduling set to "manual".
  5) Please verify that your servers are all running exactly the same ACS version and build.
  6) Also let me know if we have any firewall in between two acs servers.
  Regards,
  ~JG

• Errors in event log of Secondary DPM server protecting replicas on Primary

  Hello again
  I have two DPM servers, one situated on-site (primary) and one situated off-site (secondary). Protection jobs seem to be running correctly on both servers in that the jobs complete and I am able to restore data from the backups. I use the primary server
  to make the initial backups of critical systems and data (Exchange MDB's etc) and the secondary server to backup those replicas off-site in case of primary site loss or DPM system loss.
  The primary server is a physical server and the secondary server is a virtual server. Both DPM servers have their DPM databases stored on one physical SQL server that is in the primary site.
  Basically what is happening is that every day our virtual machines are snapshotted (secondary DPM server included) and everyday the snapshot of the secondary DPM server fails. I see the following to entries in the event log of the secondary server.
  Error 1:
  WARNING
  Source: MSDPM
  Event ID: 955
  The description for Event ID 955 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  The consistency check resulted in the following changes to SQL Server Agent schedules: Schedules added: 2 Schedules removed: 2 Schedules updated: 0.  
  Problem Details:
  <ConsistencyCheck><__System><ID>26</ID><Seq>27861</Seq><TimeCreated>22/05/2014 23:01:31</TimeCreated><Source>SchedulerImpl.cs</Source><Line>719</Line><HasError>True</HasError></__System><Tags><JobSchedule
  /></Tags></ConsistencyCheck>
  the message resource is present but the message is not found in the string/message table
  Error 2
  ERROR
  Source: MSDPM
  Event ID: 4212
  The description for Event ID 4212 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  DpmWriter service encountered an error during PrepareBackup as more than one component is selected for backup in the same snapshot set.  Select a single DPM replica for backup and try the operation again.
  Problem Details:
  <DpmWriterEvent><__System><ID>30</ID><Seq>7</Seq><TimeCreated>23/05/2014 00:30:45</TimeCreated><Source>d:\btvsts\21011\private\product\tapebackup\dpswriter\vssfunctionality.cpp</Source><Line>438</Line><HasError>True</HasError></__System><DetailedCode>4212</DetailedCode></DpmWriterEvent>
  the message resource is present but the message is not found in the string/message table
  These two events are followed by another event from VMWare Tools everyday
  Error 3:
  WARNING
  Source: VMWare Tools
  Event ID: 1000
  [ warning] [vmvss:vmvss] CVmSnapshotRequestor::CheckWriterStatus():1536: writer DPM Writer in failed state: res = 0x800423f4, err = 0x1, error =
  Has anyone come across this before? Currently I am not quite sure what is going wrong and whether it is actually related to snapshots failing, but I want to try to fix these errors first and see what happens.
  Regards

  Your ar using VMware for Virtualization?
  Are you trying to do an online Backup of the VM, think that will not work?
  One thing i wonder, your have installed second DPM if Site one fails or goes done, but SQL for DPM2 is in Site one? try to move SQL to external site for DPM 2
  Seidl Michael | http://www.techguy.at |
  twitter.com/techguyat | facebook.com/techguyat

• ACS server replication Query

  Hi All ,
              I have two ACS server primary & secondary server . New secondary server to be deployed into network . My primary ACS server has got 1000 AAA clients configured with 15000 user id configured in multiple group profile . My question over here is when i do database replication between primary and secondary ,whether entire databse will be replicated from my primary server to secondary server like all AAA clients and end user , group profile , interface configuation etc , else it will replication has got restriction for database .
  Totally : AAA clients & User ID will be on one database backup   or it will reside on differnt location
  kindly clarify me over here ,Thank you .

  Hi,
  The entire Database will get over written in case of database restore.
  You use ACS Database Replication to copy various  components of the ACS internal database to other ACSs. This method can  help you plan a failover AAA architecture, and reduce the complexity of  your configuration and maintenance tasks.
  The components that can be replicated are:
  User and group database
  Group database only
  Network Configuration Device  tables
  Distribution table
  Interface configuration
  Interface security settings
  Password validation settings
  EAP-FAST master keys and policies
  Network Access Profiles
  Logging Configuration  (Enable/Disable Settings)
  The following link will give you details of the database replication.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as resolved if you feel your query is resolved. do rate helpful posts.

• When WLC authenticate users with secondary RADIUS server?

  Hi Sir,
  I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
  I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

  Hi,
  I navigated to the following on the WLC:
  MANAGEMENT -> SNMP -> Trap Logs
  I noticed the following SNMP trap:
  Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
  I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
  I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
  On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
  Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
  There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

• Backup ACS server not used by switch.

  I am experiencing a strange issue: During a primary ACS failure, our switches are not resorting to the backup ACS for login authentication, except for enable mode. This means we can only use the emergency local login, but once logged in we cannot enable due to the switch attempting to authenticate that to the backup ACS.
  Once I created the local user in the backup ACS I was able to log in, and after I removed then re-addded the primary server as a TACACS host it worked as expected - using the backup only. I can't help but think there is some minor command I am missing so that the switches will recognize the failure of the primary ACS.
  What am I missing that a failure of an ACS server does not cause the switches to use other configured servers?

  Richard,
  I have reviewed the information, however, the debugs are not clear enough as the only outputs displayed other than Accounting logs are the following lines:
  012697: Jan  3 22:37:16.866 GMT: AAA/AUTHEN/LOGIN (0000094B): Pick method list 'default'
  012698: Jan  3 22:37:24.743 GMT: AAA/AUTHEN/LOGIN (0000094B): Pick method list 'default'
  There are known issues with IOS devices not triggering the fallback/failover to the secondary ACS/TACACS+ server when the primary returns an "ERROR" response. "ERROR" refers to a process failure on the server side dropping the request and would not be the same as User Invalid or Bad Password responses which are failures referring to the Authentication information and not the process itself.
  Would it be possible for you to collect a capture on the Secondary ACS switchport while the primary is down in order to determine if the IOS device is reaching the secondary server at all?
  Known issue:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd48175
  Symptoms
  AAA does not failover to the backup tacacs server defined when it receives ERROR
  from the primary server .
  Conditions
  Occurs when tacacs is configured for authentication, and backup servers are
  configured. When the primary server returns error due to csauth not running on
  the primary server, in that case  authentication request does not fail over to
  secondary server.
  Frequency:
  Not a common scenario.
  Workaround:
  None
  NOTES
  1) If you have an ACS for Windows (3.x or 4.x) then you can install Wireshark on the Windows Server and collect the capture.
  2) If you have an ACS Appliance (3.x or 4.x) or an ACS 5.x you might need to configure a SPAN session on the switch.
  After collecting the capture you can use Wireshark > Edit > Preferences > Protocols > TACACS+  > TACACS+ Encryption Key > type the shared secret value. This will  allow you to review the unencrypted packets.
  You can filter the capture as well using ip.addr==x.x.x.x where x.x.x.x is the IOS device IP address.
  Feel free to share the capture with me as well along with the shared secret key. I would gladly review the information.
  NOTE: If the capture shows no traffic going to the secondary unit a useful test would be to configure the "Secondary" server as the primary on the IOS and verify if it works that way.
  NOTE: If possible, a capture on the primary server switchport while it is down might be useful in order to verify how is the IOS determining that the primary server is down as I do not see it trying to contact the primary either... We should see atleast timeouts when contacting the primary ACS.
  Regards.

• Ssh after ACS server "locked up" and had to be reconfigured no longer works.

  Hello
  I have a VPN tunnel between an ASA5520 and a Cisco 891.
  I had the 891 configured with the following:
  aaa group server tacacs+ VTY
   ip tacacs source-interface Loopback0
  aaa group server tacacs+ TACACS-ACS
   server 10.8.x.x
   server 10.16.y.x
  aaa authentication login CONSOLE none
  aaa authentication login VTY group tacacs+ local
  aaa authorization exec VTY group tacacs+ local
  aaa authorization commands 0 VTY group tacacs+
  aaa authorization commands 15 VTY group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting commands 15 CONSOLE start-stop group tacacs+
  ip tacacs source-interface Loopback0
  tacacs-server host 10.8.x.x key 7 yadayadayadayada
  tacacs-server host 10.16.y.x key 7 yadayadayadayada
  tacacs-server directed-request
  line vty 0 4
   access-class 1 in
   authorization commands 15 VTY
   authorization exec VTY
   accounting commands 15 VTY
   login authentication VTY
   transport input ssh
  line vty 5 15
   access-class 1 in
   authorization commands 15 VTY
   authorization exec VTY
   accounting commands 15 VTY
   login authentication VTY
   transport input ssh
  I no longer can access device remotely. I am sure it has to do with the ACS server, but not sure where to look.
  Any help would be  greatly appreciated.

  Hi,
  This is configuration issue.
  Have you added the loop back interface ip of router on to AAA server as a AAA client?
  Are the shared key same on both router and aaa?
  If both the above are fine the remove the entire aaa configuration and apply them frsh as below.
  no aaa new mode
  enable password ***********
  username admin privilege 15 password *********
  aaa new-model 
  aaa group server tacacs+ VTY
   server 10.8.x.x
   server 10.16.y.x
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable VTY group Tacacs+ enable
  tacacs-server host 10.8.x.x key 7 xxxxx (xxxxx should be the same key used in ACS)
  tacacs-server host 10.16.y.x key 7 xxxxx (xxxxx should be the same key used in ACS)
  line vty 0 4
  login authentication VTY
  Hope that helps
  Regards
  Najaf

• Cisco ACS Server

  Hi
  I have at present a Cisco ACS server 3.3. I want to upgrade the server to latest version and also cluster it with another one so that we could have a redundant infrastructure as if one fails the other one takes over ..
  CAn you provide a suitable solution for this ?
  Thanks

  Hi,
  The Latest version is ACS 4.1. You can upgrade from 3.3.3 build 11 directly to 4.1.
  Then you can install another ACS 4.1 on different machine and setup replication between these two. This way you will have to make changes only on one ACS and the secondary will automatically get updated.
  Once these two are set, you can define both of these server as Radius/Tacacs server on the devices and there would be a redundancy.
  Regards,
  Vivek

• Second ACS Server

  We have one ACS server on the network and we need to add a second server. The secondary server will be replicating the primary.
  Is it advisable to point some devices to the primary and the other half to the secondary server to balance the load?
  JT

  Thank you for the response.
  I know the secondary server replicates the primary and NOT vice-versa, so does this mean we have to set up all the device groups ONLY on the Primary but point some of the devices to look at the Secondary server first?
  JT