Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CiscoACS stops after shutting down Domain Controller.

Posted on 2011-03-09
11
Medium Priority
?
1,434 Views
Last Modified: 2012-05-11
I have a server running CiscoACS 4.2 on windows 2003. I have 5 domain controllers. I have been working to upgrade our domain  functional level and I finally got to the point where I wanted to shutdown my last win2k domain controllers. I have 4 domain controllers at the main site (2) win2k8R2 and (2) Win2k. I shut down the 2 win2k servers today and all of a sudden Cisco ACS stopped working. I use ACS to authenticate using TACACS+ on my Cisco ASA and for my VPN clients to authenticate to the windows domain. I know my domain is fine, I can log in and authenticate with windows clients after the 2 win2k servers are shut down. The really weird thing is that I can authenticate 1 time after the CSAuth service is restarted and then all attempts fail afterwards. I go ahead and turn one of the win2k DCs back on and Authentication works again!

I am not using LDAP within the ciscoACS server. I am using a "windows database" I'm assuming it's just trying to find "Domain.COM" not just this domain controller by name?

right now my domain is in windows 2000 functional level. I was told others have installed this within a domain that is a win2k8 functional-level so I'm assuming it's not a win2k8 ADS issue? any help would be appreciated!!
0
Comment
Question by:jbla9028
10 Comments
 
LVL 1

Author Comment

by:jbla9028
ID: 35087095
Sorry I forgot to mention that I have a 2nd site with 2 domain controllers there. I actually have (6) domain controllers
Site A (site where CiscoACS is installed) 4 - (2) win2k + 2 (win2k8R2)
Site B 2 - (2) Win2k3

0
 
LVL 3

Expert Comment

by:VespaMaru
ID: 35087779
Were your primary and secondary ACS Remote Agents on those domain controllers? It could be that.

Under Network Configuration -> ACS_AGENTS network device group make sure you have the new domain controllers listed.  Even though you can put more than 2 DCc in, it seems that ACS will only connect to a primary and a secondary.  You can set this by going to:

External User Databases -> Database Configuration -> Windows Database -> Configure -> Windows Remote Agent Selection.

BIG WARNING -> This WILL reset your Windows Authentication Settings.  When I did it, I basically had to set up ACS/Windows database mappings all over again, so make sure you took screen shots, backups etc.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35087804
Under network configuration I do not have the option for ACS_AGENTS. I think I might have a version that's incompatible with windows 2008. I am running Cisco ACS 4.2(0) I found there's a patch for windows 2008 that I migth need. Unfortunately I'm just running the trial software right now and it won't allow me to patch the trial.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Accepted Solution

by:
VespaMaru earned 1600 total points
ID: 35087918
I think the Remote Agents are for the ACS Solution Engine and not for ACS for Windows.  Sorry about that.  Yes, 4.2.1 Is the version compatible with Windows 2008 Domain Controllers.
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 400 total points
ID: 35092908
ACS is supported on Windows Server 2008...

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Release_Notes/acs421_rn.html

I'm pretty sure you'd need to reinstall ACS, especially if you've raised your domain functional level.
Also, turn off IPv6 on your domain controllers.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35098335
I'm running ACS 4.2(0) not ACS 4.2.1. From this Cisco FAQ it's not supported on 4.2 without a patch which I can't install without a license key. Anyone know if there's a trial version of a version higher than 4.2(0) ?



http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080094bac.shtml

Q. Is ACS supported on Windows 2008 server platforms?

A. Yes. ACS is supported on Windows Server 2008, and is available from ACS 4.2 Patch 4 and later. Refer to the Windows and Active Directory 2008 Supported Scenarios section in Release Notes for Cisco Secure ACS 4.2 for more information.


0
 
LVL 1

Author Comment

by:jbla9028
ID: 35314480
sorry I haven't posted. We purchased ACS and got the 4.2.1 to work without the win 2000 DC. I'd like to award points for the solution
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35314693
If you post a comment, pressing OBJECT instead of SUBMIT, the question will be available again for closing yourself.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35315992

Open in new window

0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 35316000
Upgrading to 4.2.1 I was able to get the ACS Server running! thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question