Redundant ACS Configuration - IP Address Allocation

I have remote users that connect to the corporate network via vpn terminating on a VPN3k at the primary site. These users are authenticated and given IP addresses by Cisco Secure ACS. There is a backup site where the backup ACS is deployed. I would like for the remote users to be authenticated by the backup ACS when the primary is unavailable. Each ACS is configured with subnets that are advertised at its location. In other words, the IP address that are given to the remote users are from different ranges. Is it possible to configure the ACS to give the remote users an IP address from the range deployed at the primary site when they are connecting to the vpn3k located at the primary site but are being authenticated by the ACS from the backup site?

Dylan,
I recognized that I didn't really answer your question. You may have both ACS servers server the same IP Address to the client regardless of which VPN Concentrator is active. The key element being the advertisement of the client's IP address back into the network. If you are running OSPF/RIP then you may have the VPN Concentrator advertise the client's IP address via OSPF (or RIP) back into the network.
The ramification is the number of 32-bit mask routes that you may be injecting into your network.
Cheers,
Troy

Similar Messages

  • Port_based address Allocation

    hi,
    Can Port_based address Allocation is possible in cisco switch if possible kindly tell the switch model or any cisco / third party software reqiure.
    pls help......

    Hi All,We have a Cisco 897VAG-LTE and a 867VAE-K9.We need to enable DHCP on the router and assign an IP address to fa0/1 using the configuration below. A mac address reservation will not work as we will be swapping out the embedded device when repairs are required.Our supplier is using a C897VAMG-LTE-GA-K9 with c800-universalk9-mz.SPA.154-3.M1 software. They say the configuration is not working on their test router.At what level of IOS is this command supported; IPBase, Universal, Adv Ip Services? Cisco white papers do not specify this.How best do I approach this situation?Textip dhcp use subscriber-id client-idip dhcp subscriber-id interface-nameip dhcp excluded-address 10.36.1.1 10.36.1.20!ip dhcp pool DHCP-POOL network 10.36.1.0 255.255.255.0 default-router 10.36.1.254 reserved-only address 10.36.1.253 client-id "Fa0/1" ascii
    This topic first appeared in the Spiceworks Community

  • SPLIT ACS CONFIGURATION

         Hi all. in cisco's documentation, I found somthing about split acs deployment where both acs boxes can act as primary in their zones and then secondary for the other zone respectively, but I don't seem to understand how this can be done on the two acs boxes.  My concern is this:
    Is there a place where you can configure on each machine that machine "A" is the primary for this zone and machine "B" the other zone and vice visa?
    I also want to believe that on each aaa client, the first tacacs server configured would be default aaa server less its on available, the client checks the next server just like the behaviour of acl.
    Are there any docs that explain the replication of this database, and configurations required?
    Regards all.
    Thanks.

    Hi
    Split ACS Configuration is the concept of dividing the AAA load.
    As per Cisco :  In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers in the event of a AAA connectivity problem, but during normal operations neither server carries the full load of authentication requests. This property of the servers allows for less stress on each ACS system, provides better loading, and makes you aware of the functional status of the secondary server through normal operations
    If you want to Split the Load then you have to change the way of AAA deployment.
    For Example : You have 2000 Decives  & 2 ACS Then you can divide the load.
    You can configure the 1000 Devices with  : ACS 1  - Primary  IP address
                                                                   ACS 2 - Secondary IP address
    & Other 1000 Devices with : ACS 2  - Secondary IP address
                                             ACS 1 -  Primary   IP Address
    In this way the Load of 2000 devices will be split between 2 ACS Server.
    Regards
    Chetan Kumar
    http://chetanress.blogspot.com

  • Resman error: VXI A24 address allocation error on bus 0

    When we execute resman.exe on our test system the following error occurs:
    VXI A24 address allocation error on bus 0
    We have the MXI Controller configured the same as other systems and our configuration is a pc and two VXI chassis. Anyone have any ideas on what could cause this error?

    Hi Jim,
    I do not immediately know the solution to the problem you are seeing, but have a few troubleshooting suggestions:
    1. Check the pins on all of your MXI-2 connectors.  If the cable
    has damaged pins which cannot be bent back to place, you will want to
    replace the cable.
    2. Try a single VXI chassis, and then the other.  If the problem
    occurs with each chassis individually, then it is likely an issue with
    the PC or cabling.
    3. If the problem only occurs with one of the chassis in step 2, remove
    all instruments from the chassis and try running resman again.  If
    this solves the problem, add your instruments back one at a time to
    isolate which instrument could be causing problems.
    4. If the problem occurs with both chassis in step 2, do you have another PCI-MXI-2 that you could try?
    Let us know the results of your troubleshooting, and we'll be happy to help you out further.
    Jason S.
    Applications Engineer
    National Instruments

  • Configuring SUP address for IBCM Clients

    I have a question about how to configure SUP address for clients that will be roaming from Intranet to the Internet (aka VPN Users)
    Currently I have IBCM up and running.  Clients report in and are able to download and install software from the IBCM DP.  Currently we have group policy's configured to point clients to the correct internal WSUS/SUP servers. 
    For clients to use IBCM and Internet based SUP is a Windows Update group policy not possible at all?  For example is the only way for clients use the IBCM SUP to have absolutely no WSUS Group Policy configured?  Is configuring a Domain Group
    Policy to have clients point to the Internet Based IBCM SUP not possible? 
    SCCM 2012 R2
    Thank you. 

    You can create a group policy to point to your SUP.  Configure the policy, Specify Intranet Microsoft Update Service Location.  Its located in Computer Configuration - Administrative Templates - Windows Components - Windows Update.  Note
    that the local group policy will be created regardless of using the domain group policy.  So, its just a redundant effort. 
    Best, Jacob I'm a PC.

  • Content rule works with no redundant-vips configured

    Hello,
    We have a content rule configured (VIP address 10.1.2.3) but have not configured an ip redundant-vip 1 10.1.2.3 under the circuit configuration on either the master or backup CSS.
    This content rule works though ? Why is this ?
    cheers,
    Mike

    both css are responding to arp request for this vip, but luckily the upstream router keeps using the csm mac/css.
    I would still recommend to use the redundant-vip.
    G.

  • How  to configure website address to http request

    hi
    How to configure website address to http request
    (I want access JBOSS URL: http://localhost:8080/HIS/Login using website like www.HIS.com)
    Please help me.

    What I'm trying to do is connect my laptops built in wifi adapter to my home network and connect my usb wifi adapter to my phones hotspot then combine the bandwidth into one stream so that my speed is faster.

  • How best to configure the memory allocation

    Hi,
    Anyone could advise how best to configure the memory allocation by setting up
    the value for
    -Xms
    -Xmx
    -XX=NewSize
    -XX=MaxNewSize
    -XX:SurvivorRate
    -XX:MaxPermSize
    for weblogic Express 8.1 and the server has about 4G RAM ?
    Thanks.

    Hi Chandra,
    "Chandra" <[email protected]> wrote in message news:[email protected]..
    Anyone could advise how best to configure the memory allocation by setting up
    the value for
    -Xms
    -XmxSet -Xms == Xmx == 512m
    -XX=NewSize
    -XX=MaxNewSize
    -XX:SurvivorRate
    -XX:MaxPermSizeSet -XX:MaxPermSize == 64m
    and see how it goes.
    for weblogic Express 8.1 and the server has about 4G RAM ?This is way too much for a single weblogic instance. Normally 512-1024Mb
    is enough. I'd consider partitioning it to multiple instances with that much
    of memory. Lesser memory means faster GC.
    HTH
    Regards,
    Slava Imeshev

  • How to configure IP address and hostname?

    May I know any method to configure IP address and Hostname? besides change it from /etc/hosts and /etc/inet/hosts.
    any other method?
    Any command to change?

    May I know any method to configure IP address and
    Hostname? besides change it from /etc/hosts and
    /etc/inet/hosts.
    any other method?
    Any command to change?Yes, to do it temperiorly you can use ifconfig command, but after the reboot, these things will go off.
    The syntax is:
    ifconfig <interface> <ip addr> netmask <input based on your nwt> broadcast <> up.
    ex:
    ifconfig ce3 180.144.67.40 netmask 255.255.0.0 broadcast 180.144.255 255
    HTH,
    Prabu.S

  • Configure Logical Address for Web Applications-Hyperion 11.1.2

    Hello,
    I have f5 load balancer infront of two foundation servers and I have not yet configured the Logical address for web applications with Loadbalancer DNS name/hostnmae. I can access all of web applications through Load Balanced URL. Do I Still need to configure Logical Web Address for web applications ?
    Thank you so much !

    To add to this part of the reason for load balancing is usually to support high availability (in addition to scalability). Without that logic address being setup you will find certain configuration items are pointed to one server or another and if that one server is brought down it impacts key functionality of the whole environment.
    You should consider a test of the infrastructure by purposely bringing down services and/or servers to ensure you still have a fully working environment with the other redundant components. This test may take half a day to several days to really go through a full regression test of key features while taking key pieces down.
    Regards,
    John A. Booth
    http://www.metavero.com

  • How to enable ACS configuration audit

    Dear Expert,
    Im a newbie and ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
    Appreciate if you could give me a simple steps .. thank you
    ACS Version : 5.2.0.26
    regards

    This is a known defect.
    CSCtn25508    Administrative and Operational Audit logs becomes unable to be recorded.
    Symptom:
       Administrative and Operational Audit logs suddenly becomes unable to be recorded. 
       The log can be configured at  ACS5 GUI -> System Administration -> Configuration -> Log Configuration
       -> Logging Categories -> Global.
    Conditions:
      unknown.
    Workaround:
      none
    This defect has been addressed in ACS 5.2 patch 7 and above.
    Jatin Katyal
    - Do rate helpful posts -

  • Off-line ACS Configuration

    I need to apply a basic configuration to an ACS appliance (5.2) then ship it off to another location to be installed.  The initial installation script calls for you to configure the IP address, DNS, etc ... then pings the gateway and DNS before rebooting.  If these pings fail will the installation fail?
    In other words do I either need to be in the correct network or dummy it up with pingable addresses for the installation to continue properly?
    Thanks

    Thanks, I do not have physical access to the ACS after it gets moved off-site.  So perhaps the best solution is to configure it with valid addresses for the location where I am performing the intial configuration - then it can do the pings and complete the installation.
    Once the ACS reboots I can go into the CLI over the serial connection and change the IP address and default gateway (and DNS if needed).  When that is complete I can power off and ship out.  Sounds reasonable?
    Thanks ...

  • Redundant Switch Configuration

    I'm trying to setup two Catalyst 3750X-48T-L switches to support redundant networking.  Most pieces of equipment will have two Ethernet interfaces, each on separate subnets.  
    So far, I've got the switches configured as separate VLANs, connected together with stack cables as shown below.  I can propagate Ethernet traffic in each subnet/VLAN independently.  However, I cannot get packets routed across the VLANs/subnets.
    I'm looking for guidance on what additional steps are needed.  Do I need to define each port as a trunk connection?

    If you want to route between the vlans then you need to have L3 vlan interfaces (SVIs) on the switches.
    So for each vlan you need to create an SVI and assign it an IP address from the IP subnet used for that vlan.
    Then you set the default gateway of the clients in that vlan to the be the SVI IP address.
    Note - if your switches are stacked you only need to create the SVIs on the stack master.
    Edit - haven't used 3750-X switches so you many also need to enable IP routing using the "ip routing" command.
    Jon

  • Cisco ACS Rouge IP Address issue

    we have had rogue IP 192.168.0.1 used for quite a while, I traced it through MAC tables to the ACS. Only one connection (cable) is used that is already using 192.168.0.35 like it should be but also using 19.168.0.1.
    Have confirmed by failing to ping 192.168.0.1 with ACS unplugged. Rogue IP address is not listed anywhere in the GUI, must be on CLI somewhere. I do not have access to CLI or what could be an issue

    Hi teymur,
    I am assuming that you are working with ACS 5.5 version. Please go through the following link that will cover all the information regarding step by step configuration of Backup deployment and licensing in ACS 5.5.
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#wp1052728

  • IP address allocation based on NAS port

    Hi,
    using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
    When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change).
    Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools.
    There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
    I have gone around and around with NAFs and NARs, but cannot do this.
    I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
    I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.
    Has anybody come across the problem before? Is there simply no way to do it (surely not)?
    To illustrate the problem better:
    NAS_port1 - 10.1.1.1 uses only IP_pool1 - 10.10.10.0
    NAS_port2 - 10.2.2.2 uses only IP_pool2 - 10.20.20.0
    Single User1
    Single Group1 (User1 cannot be in more than one group)
    User 1 turns on device and connects to either NAS_port1 or NAS_port2 randomly
    NAS_port1 makes the call to the ACS (on this occassion, it could have been #2)
    USer 1 is seen within Group1 and permitted.
    Group1 has both IP_pools available.
    Which IP address does User1 get? Always the first pool until it is exhausted, regardless of NAS port making the request.
    If NAS_port2 makes request but gets IP from IP_pool1 then the User1 will have the wrong IP address and so connectivity will not work.

    the way around the dual NAS port issue is to create one group to point to AD and one to use LDAP. In this way you can have the single username in both groups and avoid the top down authentication problem of having 2 AD groups:
    user 1 logs on. Auth request from NAS_port1. Uses Network Access profile(NAP) 1. References AD for group Radius_group_1. Gets put into Group 1. Receives IP address 1
    user 1 logs on. Auth request from NAS_port2. Uses Network Access profile(NAP) 2. References LDAP for group Radius_group_2. Gets put into Group 2. Receives IP address 2.
    And it works well.

Maybe you are looking for

  • Upgrade to iphone - downgrade part of family plan

    I am currently under my parents family plan. Our contract ends in November 2011. I would like to get the iphone soon. My father would like to downgrade his plan to something with less minutes. I would like to keep the same plan i currently have with

  • Calling Function in  SQL

    Hi, I wrote a function like below: create or replace function test_ref_cur return sys_refcursor is l_ref_cur sys_refcursor; begin open l_ref_cur for select 'Tom' ename from dual union select 'John' from dual union select 'Jim' from dual; return l_ref

  • SAP QM Result recording - Copy inspection results functionality

    Dear all, I have two queries. 1) The Raw materials used in various plants are same. I want to copy the inspection results to the inspection lot if the batch is already accepted in other plant. The material, batch and vendor is common point. Some of t

  • No .app bundles found

    What does "No .app bundles found" mean? I was using Application Loader to bundle my app for distribution to the App Store and I received this error message.

  • Services in Prime Infrastructure 2.x

    Is it possible to mix CON-ESW and CON-PSSW in single PI software? For example, the first 50 Lifecycle Device License is under CON-ESW service and the Adder 25 Lifecycle Device License is under CON-PSSW service? Thanks.