Cisco ACS database tuning
Hi
I would like to know best ways for tuning Cisco ACS database. Now the database size has grown up and causing performance problems. We are running Cisco ACS 4.2 on Windows server 2003 R3. SP2
What is the best possible way to tune Cisco ACS performance.
What is the best possible design consideration in deploying 6 ACS servers and in replicating mode? Can i use one database for all the 6 ACS servers. Is this feasible?
Any docs which talks about all these would be helpful.
Thanks in advance.
SK
Hi there,
About the database size growing issue, I have seen issue similar in the past and could be related to the Service Control option, make sure it's configured Low. This option is located under System Configuration.
Regards the replication issue, in the past I have seen even 7 servers in cascade replicating fine, although depending on different factors like distance, devices in between, amount of data, etc. The replication may flow may get affected. I am not sure which will be your requierements but using one server to replicate the information to the other units is a good option, I prefer this one than cascade replication.
Similar Messages
-
Migrating a Cisco ACS Database
Hi,
Can there be any potential problems, if we want to migrate an existing Cisco ACS Database to a different physical Server (Keeping the same IP information etc) ?
We were running Cisco ACS evaluation version for Cisco NAC (CTA) and now want to make it production while moving it to a different server.
Regards \\ NamanHi,
I'm not an expert for the ACS but when you look into System configuration you will find the feature 'Database Replication'. With an eval version you should be able to test this feature.
Cheers, -
User authentication in Cisco ACS by adding external RADIUS database
Hi,
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Any help on this would be really grateful to me.
Thanks and Regards,
Rahul.Thanks Ajay,
As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
-> In external user databases, i have added a external RADIUS token server.
-> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
-> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
Here is what i found in "Failed attempts" logs under Reports and activities.
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
Filtering is not applied.
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
02/28/2012
00:42:18
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:41:33
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:31:52
Unknown NAS
Am i missing any thing in configuration side with respect to ACS?
Thanks -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
ACS Database Replication over VPN with overlapping Network Addresses
We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
All provided info and comments are greatly appreciated.I can help with the 3005 setup if you decide to go that route.
You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
Use a static Nat type. The rest will look similar to my example.
Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier. -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Cisco ACS 4.2.1 authentication problem
We are using cisco ACS 4.2.1 on windows 2003 to authenticate with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.
Hi there,
There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
Let me know if this helps. -
Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server
Hi,
I would be very appreciated if anyone can share their experience. Thanks in advance.
Issue:
I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
Problems encountered:
Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
Questions:
1. Please kindly advise how I should resolve this problem.
2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
Troubleshooting steps I have done:
Below is the steps I took to setup the external DB.
1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
Thank you.I have NO experience with ACS SE 4.2 and
RSA SecurID Token Server BUT I have
experiences with Cisco ACS 4.1 running on
Windows 2003 SP2 Enterprise Edition and
RSA SecurID Token Server.
All the troubleshoot you've done is correct.
In Windows 2003 running Cisco ACS, you can
install the test authentication RSA client
and that you can verify that the setup
is correct (by verifying that the sdconf.rec
is not corrupted).
One thing I can think of is that when you
setup the ACS SE box, under external
database, configure unknown user policy,
did you check it to tell how to define users
when they are not found in the ACS internal
database. Did you select RSA SecurID token
server?
Other than that, from what I understand,
you've done everything correctly. -
is there a way to query the database of cisco acs 3.3 by real name or description field?
No, not directly to ACS. But you can import the db into aaa-reports! where it can be :)
Once the db is imported we have several canned reports for stuff like account status, inactive users, password aging etc. Also a load of TACACS+ device admin reports but also our visual query builder allows you to build up SQL queries using a point & click UI.
http://www.extraxi.com/aaa-reports.htm -
ACS database not functioning after changing secondary acs ip.
Hi.. im having 2 ACS 3.1 server. ACS01 (Primary) & ACS02 (Secondary). Recently we have moved ACS02 to another site and changed its ip address.
When we do database replication from ACS01, we received error message saying that ACS02 has denied replication request.
Any idea whats may be the problem ?Consider these points when you implement the Cisco Secure database replication feature:
1) ACS only supports database replication to other ACS servers. All ACS servers that participate in Cisco Secure database replication must run the same version and patch level of ACS.
2)The primary server transmits the compressed, encrypted copy of its database components to the secondary server. This transmission occurs over a TCP connection, with port 2000. The TCP session is authenticated and uses an encrypted, Cisco-proprietary protocol.
3)Only suitably configured, valid ACS hosts can be secondary servers. To add a secondary server, configure it in the AAA Servers table in the Network Configuration section of this document. When a server is added to the AAA Servers table, the server appears for selection as a secondary server in the AAA Servers list under Replication Partners, on the Cisco Secure database replication page.
4)The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.
5)Replication to secondary servers takes place sequentially in the order listed in the Replication list under Replication Partners, on the Cisco Secure database replication page. 6)The secondary server, which receives the replicated components, must be configured to accept database replication from the primary server. To configure a secondary server for database replication, refer to the Configuring a Secondary Cisco Secure ACS Server section of this document.
7)ACS does not support bi-directional database replication. The secondary server, which receives the replicated components, verifies that the primary server is not on its Replication list. If not, the secondary server accepts the replicated components. If so, it rejects the components.
8)To replicate user-defined RADIUS vendor and vendor-specific attribute (VSA) configurations successfully, the definitions to be replicated must be identical on the primary and secondary servers. This includes the RADIUS vendor slots the user-defined RADIUS vendors occupy. For more information about user-defined RADIUS vendors and VSAs, refer to the User-Defined RADIUS Vendors and VSA Sets section of the document Cisco Secure ACS Command-Line Database Utility. -
ACS Database type (e. g. mysql,sql,postgre)
Can anyone tell me what is the database of cisco ACS 4.2. And one more thing how can i access the ACS database to view the infos of the DB.
Sybase is the internal database for ACS View server. The data retrieved from multiple ACS are processed and stored in the ACS View internal database.
Please check the below link for getting more information:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9302/white_paper_c07-484555.html#wp9000185 -
Hi,
Is there any way to check that the Users were authenticated by AD through cisco ACS 4.2, I have deploy the Cisco ACS 4.2 with WLC 5500, now i have to check whether the user are authenticated by ACS or AD kindly guide me how i check it.
all users were connected and authenticated having domain user.
i am confuse whether ACS authenticate users from internal database or from AD.
Kindly help me..... ill b very thankful to you.....
M.Bilal IqbalOk if you have a user set up in ACS in a group and it is marked "windows" its getting sent to AD to get authenticated. Did you check your pass logs ? There is a field called database. This should show you if the user is ACS or AD. If its AD it will have the name of your domain (that was set up in ACS).
-
Supported devices/users on Cisco ACS 4.2
Hi,
Does anyone know how many devices/users does Cisco ACS 4.2 support ?
I need to know this information for a very large deployment.
Regards,Hello,
The following items are general answers to common system-performance questions. The performance of ACS in your network depends on your specific environment and AAA requirements.
•Maximum users supported by the ACS internal database—There is no theoretical limit to the number of users the ACS internal database can support. We have successfully tested ACS with databases in excess of 100,000 users. The practical limit for a single ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated ACS instances.
•Transactions per second—Authentication and authorization transactions per second depend on many factors, most of which are external to ACS. For example, high network latency in communication with an external user database lowers the number of transactions per second that ACS can achieve.
•Maximum number of AAA clients supported— ACS has been tested to support AAA services for approximately 50,000 AAA client configurations. This limitation is primarily a limitation of the ACS memory.
System Performance Specification.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp827669
~BR
Jatin Katyal
**Do rate helpful posts** -
Unable to generate reports in Cisco ACS 4.2
Hi All,
I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
I have installed Cisco ACS 4.2 on windows 2003 server.
aaa-server test protocol tacacs+
aaa-server test (inside) host X.X.X.X
key **********
no aaa authentication http console AAA LOCAL
aaa authentication http console test LOCAL
no aaa authentication ssh console AAA LOCAL
aaa authentication ssh console test LOCAL
aaa authentication telnet console test LOCAL
aaa authentication enable console test LOCAL
aaa accounting enable console test
aaa accounting ssh console test
aaa accounting telnet console test
aaa accounting command test
Awaiting for soln.
Thanks in advance.
Regards,
Amit.I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
Look in your console log. If you see something like:
Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
-Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
-increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
and add something like this:
kern.sysv.shmmax=167772160
kern.sysv.shmmin=1
kern.sysv.shmmni=32
kern.sysv.shmseg=8
kern.sysv.shmall=65536
See also:
http://forum.servoy.com/viewtopic.php?p=47461 -
Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003
How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks
You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
Let me know if you have any doubts.
Regards,
Jatin
Maybe you are looking for
-
Output to DivX file, but as .avi
My client has requested I output a sequence as a DivX (.avi) file. This is for playback to a large screen monitor from a CF card. I downloaded the DivX software, so that now within FCP, under export using QT conversion, there is an option DivX I down
-
My flash reads the xml, but does not understand the tag php....
my flash reads the xml, but does not understand the tag php. I want to read my xml dynamically, please help me. code: stop(); function randomOrder(targetArray) var _loc2 = targetArray.length; var _loc3 = []; for (var _loc1 = 0; _loc1 < _l
-
How to install oracle 9i application-Server to run D2K FORMS APPLICATION...
Hi, I am working on a application devlopment on d2k . i want to run this application on my pc using IE. So I want to configure oracle9i application server on my laptop. Please let me know how to install and configure oracle 9i AS. However i have 9i d
-
Error shown in Web form doesnt pop up in Smartview
Hi I have a web form where users enter data in runtime prompts and there is a validation which prompts an error if the user selects an year less than the current forecast year. This error is hanlded through a script and @return function. Th errors po
-
My early version of Lightroom does not run in Windows 8. [was:lightroom]
I have a new laptop which runs windows 8 and my early version of lightroom does n't run