topic Re: Moving ACS to a new server in Network Access Control

Moving ACS to a new server

Scott Payne — Sun, 10 Mar 2019 21:49:16 GMT

I have been informed that I am to move the ACS 3.3 from one server to another. So I have some basic questions.

1) I am going to do a fresh install and then would like to copy the existing files to the new server.

2) If I can copy all of the files (I feel that I should be able to) what executables do I need to run in order to get ACS running? If the files are copied all of the settings should be in place, correct?

3) I do believe I only need to change onle line of config on the PIX. It is the only line of config I can find related to the IP of the ACS server. Here is the line: aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! time out 10

I am assuming that is the line that needs to be changed on the firewall?

I would like to make this cahnge as seamless as possible. I think I am on the right track but just want to make sure.

Thanks,

Scott

Re: Moving ACS to a new server

darpotter — Tue, 31 Oct 2006 15:22:02 GMT

Ok, the thing to do is to create an ACS Backup on the existing server.

Then restore the backup onto the new server.

There's one slight issue with this, in the registry there is always a host entry for the ACS server itself. After doing the restore, in the network config, you'll see an entry for the original ACS server - this one can be deleted.

Darran

Re: Moving ACS to a new server

Scott Payne — Tue, 31 Oct 2006 15:30:44 GMT

Let me make sure about this. So you are saying i DON'T need to do an install at all. Just do a backup/restore and copy those files to the new server? Or do I still need to do an install and then restore the backup to the new server? What do you think about that config change? I am correct about that, I do beleive. This sounds pretty easy.

I'll let you know.

Thanks.

Re: Moving ACS to a new server

darpotter — Mon, 06 Nov 2006 17:29:47 GMT

You definately need to do another install... otherwise you wont have anything onto which you can restore your config!

Re: Moving ACS to a new server

Scott Payne — Tue, 07 Nov 2006 14:18:14 GMT

darpotter,

Thanks for your help so far. I went ahead and setup the new ACS server. It was very easy and presented no problems at all. However, When I point the firewall to the new ACS server I get 403 errors. The users aren't authenticating. The ACS and PIX are communicationg properly. However authentication is not occuring. One thing I noticed on the new ACS server is that the failed authentication reoprts (or any reports)are being written to.

Have you run into that problem before? I believe if the informatio will write to the reports, the problem will be solved.

Re: Moving ACS to a new server

darpotter — Thu, 09 Nov 2006 14:34:24 GMT

whats in the failed attempts report?

Re: Moving ACS to a new server

Scott Payne — Fri, 10 Nov 2006 14:43:45 GMT

I am getting a Reason 413. I have pasted a portion of the config below. The new_TACACS+ is the server I am trying to point to. As you can see, the VPNGROUP is pointing to the new ACS but nothing authenticates. The logging still occurs in the old ACS. Should I just remove the old ACS config??

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 192.168.169.21 $$TF_acs! timeout 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server new_TACACS+ protocol tacacs+

aaa-server new_TACACS+ max-failed-attempts 3

aaa-server new_TACACS+ deadtime 10

aaa-server new_TACACS+ (inside) host 192.168.172.11 $$TF_acs! timeout 10

aaa accounting match ACCOUNTING outside new_TACACS+

aaa accounting match ACCOUNTING inside new_TACACS+

vpngroup tfipsec address-pool ipsecpool

vpngroup tfipsec dns-server 192.168.172.11 192.168.169.20

vpngroup tfipsec default-domain travelfocus.com

vpngroup tfipsec split-tunnel vpn_in

vpngroup tfipsec idle-time 1800

vpngroup tfipsec authentication-server new_TACACS+

vpngroup tfipsec user-authentication

vpngroup tfipsec password ********

Re: Moving ACS to a new server

darpotter — Fri, 10 Nov 2006 22:13:38 GMT

What is in the authen failure code column of the failed attempts report in ACS?

Re: Moving ACS to a new server

Scott Payne — Sat, 11 Nov 2006 18:19:54 GMT

That is the problem. Nothing is being written to the logs. GRRRRR!!!! Cisco has informed me they have never seen this problem before.

Re: Moving ACS to a new server

darpotter — Sun, 12 Nov 2006 20:37:12 GMT

OK, try setting the service logging level to max.

After that try a test authentication, then look in the CSRadius & CSAuth service logs files for errors.

Errors have an "E" in the message type field.

There should be a clue there somewhere.