Cisco Secure ACS Database Replication

This section covers how to configure database replication on Cisco Secure ACS. Database replication enables an administrator to duplicate parts of the primary Cisco Secure ACS configuration to one or more secondary Cisco Secure ACS servers. In this case, you can configure the NAC network access devices (NADs) to use these secondary Cisco Secure ACS servers if the primary server is not reachable. When you configure database replication, you can select the specific functionality of the primary Cisco Secure ACS configuration to be replicated. You can also create automatic replication schedules.

NOTE You have the capability of selecting the time and date for replication. These timers depend on how often you change your Cisco Secure ACS policies and configuration. Cisco Secure ACS stops authentication services during replication. The replication process does not take a long time to complete. However, because authentication services are stopped during replication, typically replication is scheduled after hours.

Cisco Secure ACS cannot be replicated with these items:

• IP address pools

• Digital certificate and private key files

• Unknown user group mappings

• Dynamically mapped users

• Service management services (under the System Configuration section)

• RDBMS synchronization parameters

NOTE Cisco Secure ACS database replication will fail in a NAT environment. If a primary or secondary address is NATed, the database replication file will indicate a shared secret mismatch. NAT is bypassed in the branch, regional, and headquarters offices for their site-to-site VPN tunnels. Cisco Secure ACS database replication is done over TCP port 2000.

Complete the following steps to configure database replication on Cisco Secure ACS server:

Step 1 Before you start configuring replication parameters, you need to make sure that internal database replication and distributed system settings are enabled on the primary Cisco Secure ACS server and each of the secondary servers. To enable replication capabilities in Cisco Secure ACS server, go to Interface Configuration > Advanced Options. Make sure that the ACS Internal Database Replication and the Distributed System Settings check boxes are selected, as illustrated in Figure 15-7. Click Submit.

Step 2 Navigate to System Configuration and click ACS Internal Database

Replication, as illustrated in Figure 15-8.

Figure 15-7 Enabling Database-Replication Capabilities

Figure 15-7 Enabling Database-Replication Capabilities

Figure 15-8 Configuring Internal Database Replication

3 ClscoSfcuft ACS - Microsoft Inttrntt Explorer

ram

tie tfkr Sew l-gKdOiltes Ipols t^p Sf

Address [ http:/Ao. I0.20.iai: 392DAxiex2.htm v flCo Links " Googfe*1 V G Sca-cti - © gj *y CtKX*. - \ AutcU*. - "P ..ui WOpiJons &

jüjjü System Configuration m

Scfcct

Help

11$ M 1

Dale Format Conliol

* Ri'rvirii! Cnnl rill

• Loqqlnq

1 m 1 1

I* lEMreilPrartt

1 Ta 1 CoityoAtcAt 1

* Data I-arm at Control

* 1 m:fil Pusswtircl LMnrmi^i!rrit;rit

c«ï5g£àtl« 1

Q ACa Intflinal Data hasp Rpn! [cation

• ACS Internal Database Replication

* KUBMU synchronization

* ACfi Ruckuji

* ACH Service Management

• IP PririK AililniM Ri!i:civi:ry

* VoIP Accounting Configuration

l^îi^fl C«iî(Mr*tl<« 1

9 ACS fcitkup ACS Umhin. EJi Ara Kervlrp Bm^immh E9 ACS OartJflcata SahiD lî c.h>lïî]l AudiantluCiùh Sätuii

11_önfigWii I

l^iœri

IßlSSSSTl

Pirtuit I

J} VHhblUi J

* ACfi Ciirtiifkaito Biiiufj

lîafclp^rT*4'*"!

I S? I Acllvily

Eisrvics! Curilriil

0EJ

¿¡elect to open the page from which you can stop or restart Cisco So euro ACS services.

iBjck to Tool Logging

Select to conligure various Cisco secure ACS riipcwt'. .irmj c:u-.tnrriiyii thu typo of irifiirm.ilinn that is logged.

fftaclt to Tnpl flritp l~n rmnt Hnntml

$ Entemet

Step 3 Under Replication Components in the primary server (only), make sure that the following options are selected under the Send column, as illustrated in Figure 15-9.

— User and Group Database

— Distribution Table

— Interface Configuration

— Interface Security Settings

— Password Validation Settings

— EAP-FAST Master Keys and Policies

— Network Access Profiles

Figure 15-9 Selecting Replication Components

Figure 15-9 Selecting Replication Components

Network Admission Control

Step 4 Under each secondary server, make sure that the same replication components are selected under the Receive column.

Step 5 Configure the scheduling parameters as illustrated in Figure 15-10. In this example, automatic replication is scheduled for 12:00 a.m. (midnight) every day of the week. Select the times that best suit your deployment strategies and your security policies and procedures.

Figure 15-10 Scheduling Replication and Adding Replication Partners

Figure 15-10 Scheduling Replication and Adding Replication Partners

Step 6 Move the secondary server(s) to the replication partners column, as illustrated in Figure 15-10. In this example, the server called NY_ACS_2 is added. If you do not see any of the secondary servers listed in the AAA Servers column, add your AAA servers under Network Configuration > AAA Servers.

Step 7 On the secondary Cisco Secure ACS servers (where replication is done inbound), select the primary ACS server under Accept Replication from pull-down menu.

Step 8 Select the replication timeout. The default value is 5 minutes and is appropriate in most environments.

Step 9 Click Submit. If you want to start replication immediately, click Replicate Now.

Was this article helpful?

0 0

Post a comment