Cisco Secure ACS 3.1 and Windows 2000 Active directory

Discussion in 'Cisco' started by mikester, Nov 6, 2003.

  1. mikester

    mikester Guest

    Hey fellas,

    I'm setting up a new pair of ACS servers, both are Windows 2000 domain
    member servers. Both have Cisco Secure ACS 3.1 installed on them. Both
    are configured identically in regards to their user database, that is
    to say both are configured to use the Windows Active directory for
    unknown users and I have no users manually configured. That makes
    everyone an unknown user until they log in to one of the ACS servers.

    First off, it is my understanding that the ACS database replication is
    not adaptive, it doesn't import and export new entries into other
    servers via the replication process but rather is dumps or accepts an
    entire database wiping out whatever it may have known on it's own if
    it is on the receiving end. At the moment I have ACS1 configured to
    replicate to ACS2, which means ACS2 is slave to ACS1 and that any
    changes made to ACS2 would be wiped out when ACS1 replicated to it.
    Does that sound correct? I'm not sure I like it but I do want to make
    sure I'm understanding it correctly.

    Second...ACS2 is not authenticating users, ACS1 works great, but ACS2
    does not. I get the following error;

    11/06/2003 11:11:23 Authen failed <username> Default Group
    Unknown .. .. 0 <NASIP>

    It's verty strange and I need to double check each item but I believe
    they are configured correctly and the same (each server) to talk to
    the domain user database.

    Last, I understand there is an upgrade to 3.2? Is that any good?
    mikester, Nov 6, 2003
    1. Advertisements

  2. mikester

    mikester Guest

    Figured it out...missed a local security policy setting.

    mikester, Nov 7, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.