SPLIT ACS CONFIGURATION

Hi all. in cisco's documentation, I found somthing about split acs deployment where both acs boxes can act as primary in their zones and then secondary for the other zone respectively, but I don't seem to understand how this can be done on the two acs boxes. My concern is this:
Is there a place where you can configure on each machine that machine "A" is the primary for this zone and machine "B" the other zone and vice visa?
I also want to believe that on each aaa client, the first tacacs server configured would be default aaa server less its on available, the client checks the next server just like the behaviour of acl.
Are there any docs that explain the replication of this database, and configurations required?
Regards all.
Thanks.

Hi
Split ACS Configuration is the concept of dividing the AAA load.
As per Cisco : In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers in the event of a AAA connectivity problem, but during normal operations neither server carries the full load of authentication requests. This property of the servers allows for less stress on each ACS system, provides better loading, and makes you aware of the functional status of the secondary server through normal operations
If you want to Split the Load then you have to change the way of AAA deployment.
For Example : You have 2000 Decives & 2 ACS Then you can divide the load.
You can configure the 1000 Devices with : ACS 1 - Primary IP address
ACS 2 - Secondary IP address
& Other 1000 Devices with : ACS 2 - Secondary IP address
ACS 1 - Primary IP Address
In this way the Load of 2000 devices will be split between 2 ACS Server.
Regards
Chetan Kumar
http://chetanress.blogspot.com

Similar Messages

DHCP Split-Scope Configuration Wizard showing error "Not enough storage is available to process this command".

Hi,
I'm trying to split the DHCP scope between two Servers using the DHCP Split-Scope Configuration Wizard.
Server one is a VM hosted on Hyper-V and is running Windows Small Business Server 2008 (I think this was previously SBS2003 and was upgraded at some point in time). The whole DHCP scope is currently configured on here.
Server two is a VMware VM running Windows Server 2012 R2.
I've installed the DHCP Server role on Server two (2012R2) and authorized the Server. When I launch DHCP Manager, add the SBS2008 Server in the MMC, right click the scope and choose "Advanced > Split-Scope", and then run through the wizard,
I get as far as the "Percentage of Split" screen, and when I click next I get the error "Not enough storage is available to process this command".
I've searched online for this particular error message and I've come across articles suggesting AV exclusions are not in place for the DHCP database and files, however in this case the exclusions are definitely in place and I've also tried completely disabling
AV on both Servers and this made no difference to the outcome.
I also came across articles suggesting the "IRPStackSize" registry DWORD needed to be added and set to a decimal value of 15 or larger. Again, I've tried adding this and rebooted both Servers but I get the same result.
Anyway have any ideas?
Thanks,
Craig

Hi Eve,
No, there were no related events in the event logs. I've since tried splitting the DHCP scope manually but this did not work - the DHCP Server on the SBS would just stop and event: 1053 was displayed when trying to start the service again. I noticed
that as soon as I de-activated DHCP Server on the 2012 Server then the DHCP Server on the SBS would start again.
I then found the following in a TechNet article that would suggest I cannot have another DHCP Server on the network if using Small Business Server.
Notes
A DHCP server running Microsoft Small Business Server will not operate if another DHCP server is active on its network.
Detection of unauthorized DHCP servers requires the deployment of Active Directory Domain Services and the DHCP service. Other DHCP servers do not attempt to determine whether they are authorized by Active Directory Domain Services before offering IP address
leases.

Use of .private as FQDN for SLS in split DNS configuration

I am setting up a new SLS and just wanted to reach out to see if anyone has had any negative experiences using a domain.private for a FQDN for the server and enabling mail service with mail.domain.com.
We will be publicly hosting domain.com on a completely different server.
I have the SLS server set up this way right now. We are in testing but not yet in production. It was set up that way based on discussion with a couple of Apple reps.
We do not plan to use any of the SLS services publicly, with the exception of Mail. All of the other services will be accessed locally on the network or through remote VPN connection to the SLS.
Server is working properly thus far with public static IP sitting on an Airport Extreme and private IP of the server NATted behind the Airport Extreme.
A record, MX record, SPF record, and PTR record have been properly set up the respective ports opened on the Airport Extreme. So mail is coming in and out properly.
Thanks to anyone who can share any insight on this general configuration!

I prefer to use a registered domain name, or a subdomain of a registered domain name, even if it's not externally accessible. That absolutely prevents domain collisions, and it means if (when?) you go public, you don't have to re-address everything. It's insurance at the cost of a couple of trips to the coffee shop a year...
If I'm going to make something up that I don't have registered (eg: .private) (and I don't prefer to do that), I prefer to make something up that will be extremely unlikely to ever be used. (eg: .local got used for zeroconf, and has subsequently been causing some "fun" for folks that squatted on it.)
IANA has been adding TLDs and that practice will undoubtedly continue, and they're in the process of opening it up to most anybody that wants to run their own TLD. (eg: .travel, .cat, and I expect there'll be a whole pile of new ones arriving as TLDs turn into "vanity" TLDs; as each company with a big enough budget to rent or run their own big DNS servers gets their own TLDs.)
Your configuration will require you to run your mail through NAT, or set up a split-horizon (you're not really running split-horizon yet) for your internal IP address translations or (probably the way you're going to do this right now) via an authorized relay and your external mail provider.
I've set stuff up using all of these. It works.
And though you don't mention it, get out of 192.168.0.0/16, or at least out out of the most common subnets in that IP address block. Using the block or particularly the common subnets in the block messes up VPN routing if (when) you get to wanting (needing) that. Best to start out in 172.16.0.0/12 or 10.0.0.0/8, as most home networks and most coffee shops are in 192.168.0.0/16 and most are in the same subnets within that block, and that precludes VPN routing.
The Airport and Time Capsule devices are good home routers, but comparatively weak server routers. Budget for a replacement firewall, particularly as you start using features. You'll likely then repurpose the Airport or Time Capsules as access points (APs), or what Apple calls "bridging", when you replace them with a server-grade firewall. (Requirements here can differ, but can include a VPN server within the firewall, DMZ, RADIUS authentication, or port forwarding requirements past the (very limited) capabilities of the Airport and TC boxes...)

Redundant ACS Configuration - IP Address Allocation

I have remote users that connect to the corporate network via vpn terminating on a VPN3k at the primary site. These users are authenticated and given IP addresses by Cisco Secure ACS. There is a backup site where the backup ACS is deployed. I would like for the remote users to be authenticated by the backup ACS when the primary is unavailable. Each ACS is configured with subnets that are advertised at its location. In other words, the IP address that are given to the remote users are from different ranges. Is it possible to configure the ACS to give the remote users an IP address from the range deployed at the primary site when they are connecting to the vpn3k located at the primary site but are being authenticated by the ACS from the backup site?

Dylan,
I recognized that I didn't really answer your question. You may have both ACS servers server the same IP Address to the client regardless of which VPN Concentrator is active. The key element being the advertisement of the client's IP address back into the network. If you are running OSPF/RIP then you may have the VPN Concentrator advertise the client's IP address via OSPF (or RIP) back into the network.
The ramification is the number of 32-bit mask routes that you may be injecting into your network.
Cheers,
Troy

Production order split for configurable products

Hello
Is it possible to convert an APO planned order for configurable product to a production order in ECC and then to split this order in ECC?
What will be the visibility in APO regarding pegging, GATP...
thanks in advance for your help
regards
patrice

Hi,
What strategy are you using
Startegy 25 is used for MTO configurable material.
Regards,
Vishal

Quickly open projects in tmux with split window configuration

When I work on a coding project, I often have a window for it in tmux. The window is split horizontally into two panes. On the left there's vim, on the right there's just shell for running commands. This is a bit tedious to set up everytime I want to work on a project, so I created a little helper script for it.
The first script is called tmuxide.
#!/bin/sh
dir=${1:-$PWD}
name=${2:-$dir}
session="$USER-ide"
window="$session:$name"
# Create a new session if there isn't one
tmux has-session -t $session 2> /dev/null || tmux new-session -d -s $session
# Select the project's window if it exists, else create it
tmux select-window -t $window 2> /dev/null || {
tmux new-window -c $dir -t $session -n $name 'vim .'
tmux setw -t $window allow-rename off > /dev/null
tmux split-window -t $window -d -c $dir -h -p 45
tmux -2 attach -d -t $session
The project directory and name are given as parameters. This looks for a session called $USER-ide and creates it if it's not found. Then, it tries to select the window with the project name. If it doesn't find it, a new window with the previously described split configuration is opened. Last, it attaches to the IDE session. So I can open a project view for instance in my dotfiles folder: `tmuxide $HOME/.dotfiles dotfiles`, where the second "dotfiles" is the name given to the project window.
To complement this, I created a convenience script called project. It's inspired by a feature called "Project Quick Open" found in some text editors.
#!/bin/sh
root=${PROJECT_ROOT:-"$HOME/projects"}
prj=$1
[ -z $prj ] && {
ls -d $root/*/ | awk -F'/' '{print $(NF-1)}' | column
printf "\n"
read -e -p "Open project: " prj
dir="$root/$prj"
[ ! -d $dir ] && exit 0
tmuxide $dir $prj
This looks for the environment variable $PROJECT_ROOT. I can now supply the name of any folder under $PROJECT_ROOT: eg. if I run now `project metaballs`, it looks for the folder $PROJECT_ROOT/metaballs and opens a tmuxide window in that folder with the name "metaballs". If no project name is given as a parameter, the script shows a directory listing and prompts the user for a project.
The scripts become especially powerful when bound to a hotkey. For example, I'm binding the project script with sxhkd in my bspwm environment like this:
super + shift + p
bspc rule -a URxvt -o desktop=code && urxvtc -e project
Now the powerful environment is just a keypress away.
I'm sure you all have your own workflows with vim, tmux etc. This is mine, and I just thought I'd share it in case someone finds it useful. Especially, the detection of existing windows and directing the commands to the right session in the tmuxide script was somewhat non-trivial (well, for me at least).
I'll appreciate any thoughts and ideas for improvement.
Edit: more descriptive title.
Last edited by flannelhead (2015-01-29 21:04:35)

You might try a third-party utility such as Witch to create window sets that can be configured and restored. Look for it and others at VersionTracker or MacUpdate.

How to enable ACS configuration audit

Dear Expert,
Im a newbie and ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
Appreciate if you could give me a simple steps .. thank you
ACS Version : 5.2.0.26
regards

This is a known defect.
CSCtn25508    Administrative and Operational Audit logs becomes unable to be recorded.
Symptom:
   Administrative and Operational Audit logs suddenly becomes unable to be recorded.
   The log can be configured at ACS5 GUI -> System Administration -> Configuration -> Log Configuration
   -> Logging Categories -> Global.
Conditions:
unknown.
Workaround:
none
This defect has been addressed in ACS 5.2 patch 7 and above.
Jatin Katyal
- Do rate helpful posts -

ACS configuration/database consolidation

Hello,
I have two ACS servers.
One is version 2.4 and the other is version 3.0.2.
My wish is to install a third server with ACS 4.0 that will replace the other two.
I planned the following steps:
1- upgrade versions 2.4 (srv1) and 3.0.2 (srv2) for 3.0.4;
2- Export using CSUtil tool the configuration data from both servers;
3- Manually consolidate all the data;
4- Install new server with version 3.0.4;
5- Import using CSUtil the consolidated data to the new server;
6- Upgrade the new server to version 4.0 following recommended upgrade path.
Any comments on these steps?
Is there any specia mechanism/tool to consolidate configuration from two distinct ACS servers?
Thanks in advance.
Regards,
Ricardo

Ricardo,
We cannot export devices with csutil. What we can do is search for devices on GUI and download a csv file of the search result.
Dbsync does not sync database between ACS Servers. Dbsync uses a csv file to add devices/users in bulk. So if we can create a csv file of users and devices we can import them into ACS. More about dbsync at :-
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sad.htm#wp756877
Regards,
Vivek

ACS Configuration

Dear All,
I'm trying to install an ACS Solution Engine in My network for access control (AAA). I succeed in setting up authentication using the internal database and that works. now My boss want users to be authenticated through an external database (windows AD). I tried achieving this but kept getting different errors.(like EAP-TLS or PEAP authentication failed during SSL handshake) or (Authen session timed out: Challenge not provided by client).
please I need someone who has done this before to give Me a step by step procedure on how I can setup ACS SE for windows authentication.
Thanks

Hello mate,
first you have to configure an external identity store pointing to your active directory
then you need an access policy for your wireless service with
an Identity Policy where you define the identity result as your Active Directory store
an Network access Authorization Policy where you define a rule with a compound condition, where you set the dictionary ( AD-AD1) to match any active directoy users.
regards
Alex

Off-line ACS Configuration

I need to apply a basic configuration to an ACS appliance (5.2) then ship it off to another location to be installed. The initial installation script calls for you to configure the IP address, DNS, etc ... then pings the gateway and DNS before rebooting. If these pings fail will the installation fail?
In other words do I either need to be in the correct network or dummy it up with pingable addresses for the installation to continue properly?
Thanks

Thanks, I do not have physical access to the ACS after it gets moved off-site. So perhaps the best solution is to configure it with valid addresses for the location where I am performing the intial configuration - then it can do the pings and complete the installation.
Once the ACS reboots I can go into the CLI over the serial connection and change the IP address and default gateway (and DNS if needed). When that is complete I can power off and ship out. Sounds reasonable?
Thanks ...

ACS configuration for NAC authentication

Hello,
I've been trying to configure my ACS server to allow user authentication via the cisco NAM, but it does not seem to work anytime i try to log in with my configured username/password on the ACS server.
I need someone to guide me through how to get this resolved.
Regards,

I am assuming you are having the NAM authenticate NAC Agent login requests against ACS.
This can be done via RADIUS or LDAP.
Check out the Cisco NAC Chalk Talks, particularly 'Configuring Authentication, Roles, and SSO'
Chalk Talk Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

Split Delivery Configuration

Hi SD Gurus,
Please help me out in configuration of split delivery. Here sold to party is A and ship to party is B,C,D.
When trying to raise an order, I'm able to select any one of the ship to party but not the remaining. I require to select all the remaining ship to parties and split the delivery between them. Reward points are awaiting.

Hi,
when u enter VA01 and give Sp no. then u get a pop up screen for SH ... so u select one ... it is for header u have selected...
Now enter items and for each line item u can goto item partners screen .. double click on items to reach item screen ,... there u can c the SH which u slected in header so u can chnage it here
u can have different Sh for esch line item in item partner functions screen
For header u have only one
Hope i drove the point
Reward pOINTS if useful
Krishna

How we can do SWAP VIP with multiple ACS configuration?

Hi,
We are using Azure ACS in our application, Also we have used customized ACS page as login form. now whenever we are deploying it to staging, settings available in customized ACS page works fine. but when we switch it to production then web config and
login page settings are not changing. How we can change it or is there any other to implement ACS?
Thanks & Regards
Sachin Jain

After implementing approach defined in
http://www.cloudidentity.com/blog/2011/05/31/EDIT-AND-APPLY-NEW-WIF-S-CONFIG-SETTINGS-IN-YOUR-WINDOWS-AZURE-WEBROLE-WITHOUT-REDEPLOYING/, I was unable to modify the web config. May be I missed some part or Azure is not allowing it. So
I modified it little bit and it worked with following steps:
Step1) Here I am assuming that you have created staging environment in Azure portal and also you have configured it in Azure ACS. I have used Azure ACS customized Login page and asp.net MVC form authentication. First we will modify our code
to read the settings from service configuration file and we will add the Staging GUID url and actual production URL into web config, under Audience URI section. Finally it will be uploaded to Azure portal into staging environment. In the Azure management
portal, we will change the login url settings from configuration tab then save it. Finally we will SWAP both the environments. while browsing application during VIP swap you might get Cryptographic exception which you also need to handle.
Step2) Whenever you download the customized login page from ACS portal then you will find script tag as shown below:
<script src="https://xxxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2f127.0.0.1%3a81%2f&reply_to=http%3a%2f%2f127.0.0.1%3a81%2f&context=&request_id=&version=1.0&callback=ShowSigninPage"type="text/javascript"></script>
Step3) Now replace the above code with the following code snippet and here we are trying to pick the login url from service configuration file:
<script src="@ViewBag.LoginURL" type="text/javascript"></script>
Step4) Now go to your controller and try to read the login url settings from service configuration file as shown below:
ViewBag.LoginURL = RoleEnvironment.GetConfigurationSettingValue("LoginURL");
Step5) Now open the service definition file and add setting for LoginUrl under configurationSettings tag as shown below:
<ConfigurationSettings>
<Setting name="LoginUrl" />
</ConfigurationSettings>
Step6) Open the Service configuration file and add the value for login url as shown below:
<ConfigurationSettings>
<Setting name="LoginUrl" value="https://xxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2fStaginGUID.cloudapp.net%3a81%2f&reply_to=http%3a%2f%2fStaginGUID.cloudapp.net%3a81%2f&context=&request_id=&version=1.0&callback=ShowSigninPage" />
</ConfigurationSettings>
Step7) you can get Login Url value from Azure ACS Integration tab which provides the above url. While copying the URL replace & with "&" otherwise you will get build error.
Step8) Now add the staging Guid Url and actual production url in web config file under <AudienceURI> section as shown below:
<audienceUris>
<add value="http://Production.cloudapp.net/" />
<add value="http://StagingGUID.cloudapp.net/" />
</audienceUris>
Step9) Publish the application to staging environment and test it. After testing go to configuration tab in azure portal and change the login url with the production URL. (Do not modify the URL or do not change & with &)
<script src="https://xxxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=http%3a%2f%2fProduction.cloudapp.net%2f&reply_to=http%3a%2f%2fProduction.cloudapp.net%2f&context=&request_id=&version=1.0&callback=ShowSigninPage"type="text/javascript"></script>
Step10) Save the changes and Swap the environment. Now if you get cryptographic exception then you should handle it.
• Either change the machine key and explicitly define it into web config.
• Catch the exception and logout the user from application and not from windows live id, so that user can be forced to work on new version of application by using following code in Global.asax file:
protected void Application_Error(object sender, EventArgs e)
var error = Server.GetLastError();
var cryptoEx = error as CryptographicException;
if (cryptoEx != null)
FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
Server.ClearError();

ACS Configuration Web Services: query problem

I don't know if this is the correct place to ask, I couldn't find a specific ACS category.
I am trying to do a query, according to chapter 4 in the ACS 5.3 Secure Access Control System 5.3
My URL is:
https://myurl/Rest/Identity/IdentityGroup/op/query
doing a PUT request
have a header of Content-Type: application/xml
and my payload is:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:query xmlns:ns2="query.rest.mgmt.acs.nm.cisco.com">
    <criteria xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:SimpleFilter">
        <simpleFilter>
            <propertyName>identityGroup</propertyName>
            <operation>EQUALS</operation>
            <value>AllGroups:Migrated_Group:NetworkEngineer</value>
        </simpleFilter>
    </criteria>
    <numberofItemsInPage>100</numberofItemsInPage>
    <startPageNumber>1</startPageNumber>
</ns2:query>
I get back:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:restResult xmlns:ns2="common.rest.mgmt.acs.nm.cisco.com"><errorCode>61000</errorCode><httpCode>400</httpCode><moreErrInfo>XML Parsing Error: Unable to create an instance of com.cisco.nm.acs.mgmt.rest.query.AbstractFilter. </moreErrInfo><operationType>NOT_AVAILABLE</operationType><resourceType>NOT_AVAILABLE</resourceType><status>BAD_REQUEST</status></ns2:restResult>
and a 400 Bad Request.
Can you tell me what I am doing wrong?
All I want to do is get a list of users who belong to that group?
Jerry

I learned that a simple filter does not need the ... bracketiing, so this would work:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:SimpleFilter">
            identityGroup
            EQUALS
            AllGroups:Migrated_Group:NetworkEngineer
    100
    1
- See more at: https://supportforums.cisco.com/message/3863518#sthash.PpJTEbyv.dpuf

Split Valuation configuration

Hello
My client is getting coal from a vendor. The coal is of different grades and is received at single plant. Client wants split valuation to be implemented in this case.As this is same vendor suppling different quality of coal for same plant, we can't maintain different conditions with different valuation types.
Can some tell me how we can handle this case?
Regards
mohammed

Mohammed,
I don't think there is any standard solution to your problem. If you are using info records, then it is not possible to maintain your info record (and pricing conditions within it) based on the valuation type of the material since SAP does not support this. That is to say that for a particular material,vendor,purchasing org, plant, info category combination you can maintain only ONE info record. So, the alternative for the user would be to maintain the valuation type and the conditions manually in your POs.
The other solution that I can think would be on the following lines -
- You will need to create a new condition table and extend the field catalog to include the <i>valuation type</i> field (BWTAR). For instance, the fields in the condition table can be material, vendor, purchasing org, plant, info category and valuation type.
- You will need to create new access sequences (including the new condition table) and assign them to your relevant condition types.
- You will need to include the condition types in your pricing procedure.
- Finally, you will need to maintain your condition records for your condition types.
I have only suggested a general approach. You will need to work with someone who understands pricing fairly well to be able to get this to to work as desired based on all your specific requirements.
If the volume of materials is low, then you may want to look into the option of maintaining separate material numbers for the different grades of coal and avoid split valuation altogether although I don't prefer to go this route.
Hope this helps.
H Narayan

SPLIT ACS CONFIGURATION

Similar Messages

Maybe you are looking for