RDBMS Synchronization problem in ACS Appliance 3.3

Similar Messages

• RDBMS Synchronization Options

  I use Cisco ACS 3.3 version. When i want to configure RDBMS Synchronization i can't see the table "FTP Setup Options". I needed this table to configure FTP with the purpose of adding some user options.
  Somebody knows the solution for this problem ?

  Although not strictly supported you can make the software image run like the appliance
  csutil -setPlatform appliance
  This will then enable the appliance features

• RDBMS Synchronization

  The user guide for ACS for Windows ver4.0 states that Cisco ACS can use RDBMS to synchronize its database with a third party RDBMS system and only one primary ACS server needs to interact with the third party system and the other ACSs in the network can be updated by this primary ACS using RDBMS synchronization.
  However, like many other features that suppose to work (e.g. domain stripping for MS AD) this too does not seem to work and there is no detailed documentation on how it actually does it.
  The procedure stated in user guide fails and there are gaps in the documentation.
  Can someone refer to any documentation other than the User Guide for instructions/details of this functionality?
  Thanks in advance.

  I think the easiest solution is to have a single ACS that is populated via RDBMS Sync. This ACS becomes the replication "master" that then pushes its config down to a set of "slaves".
  That is the easiest method but replication is a destructive write onto the slave - so you may choose not to do this.
  An alternative is to use the Sync Partners config (part of RDBMS Sync) which attemtps to process actions in the sync table on multiple ACSs. For this to work you need the "other" ACSs to have the RDBMS Sync'ing ACS server in their network config db.
  You need to make sure that ACS can write to the transaction table too (note CSV datasources no good) in case one of the other ACSs is down.
  If you're having problems check the rdbms sync CSV & service log on the "master" ACS and the csauth service log on the "slave" for errors.

• No access to serial console in ACS appliance 111

  We have 2 Cisco ACS appliances running version ...
  Cisco Secure ACS 3.2.2.5
  Appliance Management Software 3.2.2.5
  Appliance Base Image 3.2.2.1
  The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
  1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
  2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
  3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
  4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
  Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
  Kind regards.

  Hi
  I had similair problem being locked out of console after initial configuration wizard.
  I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
  I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
  deliverance1> start CSAgent
  Starting service: CSAgent..
  CSAgent is starting
  CSAgent is running
  Regards
  Ian

• Adding a Custom VSA to a Group - ACS Appliance

  Hi,
  Using a secure ACS Appliance 4.0
  I want to add a new RADIUS Vendor and its associated VSA to the ACS configuration. This will then be returned during Authorization.
  I have already added the new Vendor and the required VSA through RDBMS. I can now see the new vendor as RADIUS (vendor) in NAP Profile etc
  However I cannot seem to find a way that how would i set the Value of the Added VSA ? And assign it to a particular group ? I cannot seem to find that VSA anywhere.

  Add a AAA client with "Authenticate using" Radius(vendor)
  then go to Interface Configuration and enable VSA for Group/User
  ~Rohit

• ACS appliance External Auth to NT 4.0

  Hi
  I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
  Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
  Thanks

  The remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
  It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
  The release notes/install guide for it is here:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm

• ACS Appliance configuration issue.

  When I attempt to configure the ACS IP address I am getting the following error:
  "Error; Failed to get NIC configuration: <null> <FFFFFFFF>"
  The device is connected to a working ethernet port and the the physical layers have been eliminated. Aside from starting from scratch, can anyone suggest a way out of this problem?

  you need to reimage the ACS appliance.

• Syslog on ACS Appliance

  is it possible to configure syslog on ACS appliance running ver 3.3?

  Please take a look at extraxi csvsync. Its our http(s) client that can download logs from ACS v2 or later (software or appliance).
  You simply create an Administrator account on the ACS with access rights to the "reports & activity" page plus each log types you want to download. On a PC somewhere you can schedule csvsync to connect and download all new logs (csvsync keeps a history of what its previously downloaded) over http.
  By doing a once (perhaps twice) a day bulk download you reduce the inefficient "drip drip" of syslog traffic that can be a problem over WAN. Also, you're guarunteed to get the log data - remember syslog is a non-acknowledged "fire and forget" protocol... ACS can be firing but the other end might be forgetting!
  csvsync also supports filename postfixing - so you dont get name clashes when downloading from multiple ACS servers.
  Used on its own csvsync is a great way to bulk archive the valuable ACS log data, however used in conjunction with extraxi aaa-reports! and you have a full log collection and reporting application.
  For more on csvsync or aaa-reports! please visit http://www.extraxi.com - free 60 day eval versions available.

• Cisco ACS Appliance and Passed Authentication Logs

  I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
  When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
  Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
  Thanks for any suggestions!

  What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.

• ACS appliance and remote agent testing

  Having problems with integrating ACS appliance with Active Directory. Have installed the remote agent on a member server and from the ACS appliance can enumerate the Active Directory groups correctly so there is at least some communication happening.
  Looking at the remote agent logs whenever a request for the AD groups comes through you see corresponding log entrys. When a user tries to authenticate though there are no logs coming through to the remote agent. So maybe it is not being sent to remote agent?
  In the failed authentications log on the ACS the error is unknown user, it does show the correct username + domain as the person trying to authenticate.
  The Windows server is setup for unknown user policy.
  ACS version is 4.1.1.23, Remote Agent is latest version available.
  Any ideas or things to check?

  Hi,
  As per your last line, It seems that ACS and RA ver are not same. Please note that ACS appliance and RA software ver has to be same else it won't work.
  Regards,
  ~JG

• ACS Appliance "ADClient"

  Hello,
  We have been continously getting the below messages on ACS appliance.
  monit[4578]: 'adclient' process is not running
  monit[4578]: 'adclient' trying to restart
  monit[4578]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  ACS adclient INFO: Run, Initializing DB query...
  ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Also we have been facing issues where intermittently clients are not able to authenticate. We are using WPA2/802.1x. The ACS appliance is running on 5.1.
  Any help appreciated.
  Thank you.

  Hello,
  I am experiencing the same problem with a secondary ACS running in a virtual appliance. The ACS version is 5.2.0.26.6. Rebooting the VM didn't solve the problem. I'm still able to collect some logs and here is what I found :
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' process is not running
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' trying to restart
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient INFO: Run, Initializing DB query...
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Oct  6 18:50:48 ACSSLAVE2 monit[5031]: 'adclient' failed to start
  Did you manage to solve your problem and make the "adclient" process started?
  Thanks,
  Vincent

• ACS Appliance "ADClient" process

  Hello,
  We have been continously getting the below messages on ACS appliance.
  monit[4578]: 'adclient' process is not running
  monit[4578]: 'adclient' trying to restart
  monit[4578]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  ACS adclient INFO: Run, Initializing DB query...
  ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Also we have been facing issues where intermittently clients are not able to authenticate. We are using WPA2/802.1x. The ACS appliance is running on 5.1.
  Any help appreciated.
  Thank you.

  Hello,
  I am experiencing the same problem with a secondary  ACS running in a virtual appliance. The ACS version is 5.2.0.26.6.  Rebooting the VM didn't solve the problem. I'm still able to collect  some logs and here is what I found :
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' process is not running
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' trying to restart
  Oct  6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient INFO: Run, Initializing DB query...
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
  Oct  6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
  Oct  6 18:50:48 ACSSLAVE2 monit[5031]: 'adclient' failed to start
  Did you manage to solve your problem and make the "adclient" process started?
  Thanks,
  Vincent

• ACS Appliance - Where is the bulk import?

  On the Windows version there is the command line utility which allows for the bulk import of users and clients. With over 250 TACACS+ client to install on an ACS appliance I do not want to have to add them in manually, one by one, but don't seem to be able to find the way to import them. Can anyone help?

  On the appliance the only way is to use RDBMS Sync.
  The ACS quick help and online docs all have quite good documentation about how to create the account actions transaction table so I wont describe it here.
  You can actually set more device params via RDBMS sync than you could csutil.
  I doubt its been updated for the new device parameters you can manually setup in ACS v4.1 though.

• Installing Cert on ACS Appliance

  I am trying to install a Cert on an ACS Appliance V3.2. I have created the cert using a MS CA on our network but when I try and install it says that the Private Key file cannot be blank. Any help would be appreciated.
  -clyde

  I had the same problem. Cisco's only help was to tell me that ACS Ver 3.2.3 only supported key sizes of 1024 bits minimum.(our root CA had a key size of 512)
  I resolved this by uninstalling the ACS then installing the root CA certificate on the server, next I made an enrollment request to the CA for the ACS's own certificate which was subsequently downloaded and installed.
  After re-installing the ACS server, I just selected "use certificate from storage" rather than "use certificate from file"

• ACS appliance 3.2.2.5 Remote Agents for Windows DB disappear

  I have two ACS boxes: one is ACSNT and the other an ACS appliance. Both run 3.2.2.5 and have been in production for quite some time. The ACSNT box is the primary and replicates to the appliance as backup. These units authenticate to three different Windows domains: 2 NT domains and 1 AD.
  Recently I just added support for RSA 6.0 servers. Not wanting to mess with the client install on the ACSNT box, I set it up as a RADIUS token server as you do on the appliance. It works just fine on the ACSNT box. On the appliance, however, my Windows external DB quit working with "external db not operational" messages. I rebuilt the Windows external DB, recreated the group mappings, added the remote agents, etc. Things were working fine. I recreated the RSA config and still the Windows DB was working although the RSA config was not working (still working on that if TAC ever calls me back). A few hours later, I decided to check the Windows DB and it was broken again. I checked it out and the remote agents were somehow deleted. Nothing in the logs show it but they were gone. I recreated them and it worked again. This has happened twice now. Does anybody have any advice? The logs show nothing to indicate a problem on the appliance exists and of course the docs state that there should be no problem with both a RADIUS and Windows DBs living together on the same box. All comments welcome!
  Thanks,
  Rik

  Sorry it took so long to get back...I've been out of the office for a few days.
  I did check the the docs for issues like this but found nothing. The TAC Engineer escalated it and both engineers kept saying my new RSA servers were causing my issues. However, a simple reboot of the box (it is built on Win2K after all...) cleared up all of the strange issues.
  Thanks,
  Rik Guyler