Second ACS Server

Similar Messages

• Two ACS Server failover

  hi all,
  we have a asa firewall,and we want to authentication login user by ACS server ,
  in order to eliminate single failure,we build two ACS server and make one as backup,we also use two protocol tacacs+ and RADIUS.
  I just want to know how long will take,if the active ACS server failed and the login is authenticated by standby ACS.
  I have no idea about any "keyword" to search,so please kindly help me,or could you provide a Doc , I will learn it by myself.
  think you very much.

  Generally in failover scenarios we create AAA server group on ASA. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.
  To create a server group and add AAA servers to it, follow these steps:
  Step 1 For each AAA server group you need to create, follow these steps:
  a.] Identify the server group name and the protocol. To do so, enter the following command:
  hostname(config)# aaa-server server_group protocol radius
  For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.
  You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode.
  When you enter a aaa-server protocol command, you enter group mode.
  b.] If you want to specify the maximum number of requests sent to a AAA server in the group before trying the next server, enter the following command:
  hostname(config-aaa-server-group)# max-failed-attempts number
  The number can be between 1 and 5. The default is 3.
  Also, the default timed out for a server is 5 seconds so if the first server in the group is not responding the ASA will take 5 seconds * 3 attempts = 15 seconds before it tries second server in the group.
  If all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried that could be LOCAL database as well. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.
  If you do not have a fallback method, the security appliance continues to retry the servers in the group.
  c.]  If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:
  hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}
  Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
  The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default is 10 minutes.
  The timed keyword reactivates failed servers after 30 seconds of down time.
  Hope this helps.
  Regards,
  Jatin
  Do rate helpful posts-

• Limitations of Cisco ACS server

  I want to ask about limitations of Cisco ACS server 3.3 .
  I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
  Can i also solve this problem with a High Availability configuration.

  Hi
  ACS performance is a very complex issue and depends largely on
  1) auth protocol (anything eap is SLOW)
  2) backend (anything external is SLOW)
  3) server CPU
  We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
  AD authentication/group mapping can take several seconds to complete.
  ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
  EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
  Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
  The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
  IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
  Darran

• How many concurrent connections that an ACS server version 4.2 latest patch can handle?

  I have about 50 routers and layer-3 switches that autheticate via tacacs+.  The AAA server used to be on a Linux machine running open-source tacacs+ built by me.  I have a perl script that will log into all 50 devices at the same time to collect statistics.  This script is multi-threaded.  Everything is working fine so far.
  I recently out-sourced the AAA function to a 3rd party company, not by my choice.  The 3rd party uses Cisco ACS version 4.2 with the latest patch running on Windows 2003 Enterprise Server with 16GB RAM and quad processors with quad-cores, IBM x3650-M2 hardware. The connectivity between the 3rd party and my company is through a DS-3 connection.  Maximum bandwidth over this DS-3 connection is less than 10Mbps at most.
  I noticed that for the past 3 months I have multiple failures with this perl script due to authentication failure with the ACS server.  If I just run the script again a few routers/switches, there are no issues; however, whenever I started the script to log into 50 devices all at the same time, it will fail.  If I made the configuration on all routers/switches to point back to the old open-source tacacs+ server, the issue goes away.  The minute I switched back to the
  new ACS server, the issue came back.  If I modified the script to hit one device at a time, it works fine.  I think it is the ACS server can not handle a lot
  of AAA requests at the same time.
  Does anyone know how many concurrent connections that an ACS 4.2, with latest patches on Windows 2003 Enterprise Server with lot of memory and CPU power, can handle?  I can't seem to find this anywhere on Cisco website.
  Thanks in advance.

  No, Im not saying ACS cannot cope.
  Concurrency and latency are very different things. ACS CSTacacs can handle many 100s of simple authentications/authorisations per second with users in the internal database. If 1000s of devices all send traffic in the same instant it would take some seconds to work through the backlog of traffic.
  Also, worth considering that a limited number of tasks within ACS (or threads) can actually handle a much greater number of "logins" because they are generally multi-message allowing ACS to keep lots of plates spinning.
  If users are in an external databases the latency (per authentication) can increase depending on where the users are (eg Windows AD) and if bad enough can have a serious effect on the overall authentication rate. At which point customers normally turn to load balancing.
  If your device timeouts are 20 seconds (totally reasonable) I suggest the issue is more likely to be something else... a bug, perhaps specific to v4.2?

• How do I create a default account with an ACS Server

  Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
  When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
  This really concerns me from a security perspective.

  Hmm, ACS should not (by default) accept traffic from any old device.
  Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
  Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
  Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
  Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

• How enable read only access for ACS server itself

  Hi,
  We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
  We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
  We are using ACS4.0 verison. Please let me know whether its possible.
  Thanks
  Nachi

  Hi,alexchy8
  We can make use of 2 PowerShell commands to achieve this goal.
  Add-MailboxPermission and Add-MailboxFolderPermission.
  Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
  Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
  You can read the following article as reference:
  http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
  or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards.

• CSM 4.0.1 is removing ACS Server password and then cannot add a new

  Hi,
  We just wanted to use CSM 4.0.1 to change ACS Server keyword on a FWSM 3.2(5) but in the transcript I see how he removes the key and then the next statement is to add a 127.0.0.1 ACS Server that I have never defined and that failes because the connection is lost.
  Can CSM be used to change the ACS keyword and not loose the connection before changing it? The product allows such a change and does not stop albeit it should now that this is unsuccessful.
  Here is the transcript!
  Line# 2. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no snmp-server host fwsm-admin-context xxxx poll community comm1
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 3. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central (fwsm-admin-context) host xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 4. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010):  no key oldkey
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 5. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): exit
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 6. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging host fwsm-admin-context xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 7. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh timeout 30
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 8. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh version 2
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 9. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffer-size 1048576
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 10. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging debug-trace
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 11. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging trap informational
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 12. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging asdm debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 13. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffered debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 14. (ERROR) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central host 127.0.0.1
  Received (Thu Dec 16 16:22:14 CET 2010): ERROR: Interface "(inside)" does not exist. Please specify a valid interface name for this server
  ! COMMENT: Device reported error here and stopped accepting further commands
  ! COMMENT: BULK END
  Line# 15. (ERROR) Sent (Thu Dec 16 16:22:14 CET 2010): https://xxxx/config?context=admin Received (Thu Dec 16 16:22:14 CET 2010): 24300 : Login failed
  Caused by: Authentication failed on device [193.47.16.28]. Check the credentials.
  Error: Server returned HTTP response code: 401 for URL: https://xxxx/config?context=admin
  I think there are multiple problems, first it removes the key but does not add one and then it wants to add 127.0.0.1 to it and does not use an interface?

  I would say that it it the interface problem but not that it had no interface but it had another interface.
  The whole interface story is somewhat stupefying for me.
  What I wanted to do is to use a single AAA Server definition for all my contexts on a FWSM, due to multiple imports in the beginning I ended up having 40 or so in the objects.
  Each interface that we have on a context has a different name and it looks like CSM has a problem with this. We have tried to use interface with wildcards, but you cannot specify something like *context* or *vlan*. For us *context* is inside and *vlan* is outside.
  This verification of the AAA Server should be done before trying to deploy and then not having access. Luckily all our contexts had their own AAA connection setup, so I could make changes. Because we have not used the local use for more than 3 years and had 3 weeks to search it. We almost rebooted the FWSM this Sunday (using a maintenance window) but found the password last thursday.

• Second Task Server not appearing in the Manager

  I have set up a second Collection and Task Server (W2003 SP2) on a VM. The Collection Server is running fine.
  The Task Server does not appear in the Manager displayer, after refreshes (F5) and rebooting both the Manager and the new Collection/Task Server.
  Following some of the suggestions on this forum, he is my troubleshooting:
  1. I have a local account "ZAMadmin" on both servers that is a local admin account with full rights to the Filestore
  2. Only the TASKSERVER.exe is running; TASKSERVERCORE.exe is not
  3. I have uninstalled/reinstalled the Task Server.
  4. Port 7465 is NOT open when a TELNET 127.0.0.1 7465 (connect failed)
  Any ideas what to check?

  Originally Posted by pcwoodring
  I have set up a second Collection and Task Server (W2003 SP2) on a VM. The Collection Server is running fine.
  The Task Server does not appear in the Manager displayer, after refreshes (F5) and rebooting both the Manager and the new Collection/Task Server.
  Following some of the suggestions on this forum, he is my troubleshooting:
  1. I have a local account "ZAMadmin" on both servers that is a local admin account with full rights to the Filestore
  2. Only the TASKSERVER.exe is running; TASKSERVERCORE.exe is not
  3. I have uninstalled/reinstalled the Task Server.
  4. Port 7465 is NOT open when a TELNET 127.0.0.1 7465 (connect failed)
  Any ideas what to check?
  I entered a ticket with Novell Support $, and the issue revolved around installing the Collection Server, then installing the Task Server later on. I guess the "Component Install" isn't entirely true!
  Here is the scenario for anyone else with this problem:
  1. Second Collection Server installs and it grabs new DLLs for the Primary
  2. Task Server installs but can't start because of DLL conflict
  3. Reinstalling the Task Server does not overwrite the DLL, so the same problem
  The fix is stupid and simple:
  Install the Task Server to a new folder. Then it can install all of the DLLs including the shared programs
  I hope this helps someone else avoid misery!

• Upgrading an ACS Server from 5.0 to 5.1

  I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !
  I try to do it by CLI
  what CLi command I use and what patch ?
  Thanks !

  in the monitoring and report I have this
  AAA Protocol > TACACS+ Authentication
  Authentication Status :
  Pass or Fail
  Date :
  December 09, 2009
  Dec 9,09 11:52:20.200 AM
  13029 Requested privilege level too high
  admin.ad
  switch
  Device Type:All Device Types, Location:All Locations
  Default Device Admin
  AD1
  Thanks !

• Windows server 2012 standard second DNS server not automaticly detected by Windows 7.

  Hi!
  We have configured a second DNS server on our domain just in case.
  I have tested the second DNS by activating manually the second dns server in the IPV4 config in windows 7 pro.
  My question is: the second DNS server is not supposed to be detected automaticly by windows?
  Thanks you.

  Hi,
  There may be some misunderstanding about how DNS works.
  DNS client doesn't detect DNS servers. DNS client doesn't know which zone is hosted by the DNS server. DNS client can only send DNS query to the DNS servers which are configured in the client.
  As I mentioned above, the DNS Client service queries the DNS servers in the following order:
  The DNS Client service sends the name query to the first DNS server on the preferred adapter’s list of DNS servers and waits one second for a response.
  If the DNS Client service does not receive a response from the first DNS server within one second, it sends the name query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.
  If the DNS Client service does not receive a response from any DNS server within two seconds, the DNS Client service sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response.
  If the DNS Client service still does not receive a response from any DNS server, it sends the name query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.
  If it the DNS Client service does not receive a response from any DNS server, the DNS client sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
  In your case, if you configure the DNS2 as the secondary DNS server on Windows 7, when the DNS1 is down, Windows 7 will send DNS query to DNS2 after 3 sceconds(Step 3).
  Best Regards.
  Steven Lee
  TechNet Community Support

• NodeManager not able to start second managed server in same machine

  Hi,
  I am facing an issue, I am not able start a second ManagedServer(MG2) using nodemanager (through AdminConsole)
  My setup is as below:
  Server 1
  1) Admin Server + ManagedServer (MG1) (INSTALL LOCATION: /opt/web/MyServer1)
  2) Second Managed Server (MG2) (INSTALL LOCATION: /opt/web/MyServer2)
  Both belong a same Domain (MyDomain) and NodeManager runs from /opt/web/MyServer1
  I can start MG1, but not MG2.
  I did
  1) nmEnroll for (1) nmEnroll('/opt/web/MyServer1/domains/MyDomain','/opt/web/MyServer1/wlserver_10.3/common/nodemanager')
  2) nmEnroll for (2) nmEnroll('/opt/web/MyServer2/domains/MyDomain','/opt/web/MyServer2/wlserver_10.3/common/nodemanager')
  I see following error in nodemanager.log,
  The domain 'MyDomain' at '/opt/web/MyServer2/domains/MyDomain' was not registered in the nodemanager.domains file and dy
  namic domain registration is not supported. Please register the domain in the nodemanager.domains file.
  I can start the MG2 if I manually edit nodemanager.domains to point /opt/web/MyServer2/domains/MyDomain.
  Is there a way to configure multiple domains locations in nodemanager.domains, so Nodemanger can start managed server installed in different location?

  Your nmEnroll shows 2 different domain path values supplied - which means you have told NM to try to connect to 2 different domains
  1) nmEnroll for (1) nmEnroll('/opt/web/MyServer1/domains/MyDomain','/opt/web/MyServer1/wlserver_10.3/common/nodemanager')
  2) nmEnroll for (2) nmEnroll('/opt/web/MyServer2/domains/MyDomain','/opt/web/MyServer2/wlserver_10.3/common/nodemanager')
  You also show 2 distinct node managers you are trying to configure.
  nmEnroll enrolls a domain, not an individual server. If you have only 1 installation of nodemanager, and only 1 domain, then you would only need one nmEnroll command.

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• WLC 5508 and ACS server

  Hi,
  Apologies if this has been answered before. I did a search, but unable to find anythimg.
  What I would like to do is be able to have a WLC 5508 as the local RADIUS DB and authenticator, but then be able to have an ACS server in a central location as a backup and then replicate between them.
  In other words set up groups for my remote sites in the central ACS server, which then replicates only the correct group to the remote sites. This allows less adminstrative overhead, as we just update the central one.
  Is this possible and how would I configure the WLC to do this ?
  Thanks

  Hi,
  if I understood your request, you want to replicate user information between an ACS and a WLC right ?
  That's impossible.
  ACS can only replicate with other ACS running the same version. No other ways of synchronization exists.
  Regards,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• How can I run steam in a second X server?

  I've been trying to run steam in a second X server so that I can "alt-tab" by switching ttys. I've tried following this and this. and switching the binary to /usr/bin/steam -bigpicture. When I do this, the screen goes black except for a cursor at the top left. What am I doing wrong? Do I need to run a wm?

  @nomadpenguin: This sounds very similar to an issue that I was having over the summer following the xorg update. Here's how I got things working.