Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

CiscoACS stops after shutting down Domain Controller.

Posted on 2011-03-09
11
Medium Priority
?
1,427 Views
Last Modified: 2012-05-11
I have a server running CiscoACS 4.2 on windows 2003. I have 5 domain controllers. I have been working to upgrade our domain  functional level and I finally got to the point where I wanted to shutdown my last win2k domain controllers. I have 4 domain controllers at the main site (2) win2k8R2 and (2) Win2k. I shut down the 2 win2k servers today and all of a sudden Cisco ACS stopped working. I use ACS to authenticate using TACACS+ on my Cisco ASA and for my VPN clients to authenticate to the windows domain. I know my domain is fine, I can log in and authenticate with windows clients after the 2 win2k servers are shut down. The really weird thing is that I can authenticate 1 time after the CSAuth service is restarted and then all attempts fail afterwards. I go ahead and turn one of the win2k DCs back on and Authentication works again!

I am not using LDAP within the ciscoACS server. I am using a "windows database" I'm assuming it's just trying to find "Domain.COM" not just this domain controller by name?

right now my domain is in windows 2000 functional level. I was told others have installed this within a domain that is a win2k8 functional-level so I'm assuming it's not a win2k8 ADS issue? any help would be appreciated!!
0
Comment
Question by:jbla9028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 1

Author Comment

by:jbla9028
ID: 35087095
Sorry I forgot to mention that I have a 2nd site with 2 domain controllers there. I actually have (6) domain controllers
Site A (site where CiscoACS is installed) 4 - (2) win2k + 2 (win2k8R2)
Site B 2 - (2) Win2k3

0
 
LVL 3

Expert Comment

by:VespaMaru
ID: 35087779
Were your primary and secondary ACS Remote Agents on those domain controllers? It could be that.

Under Network Configuration -> ACS_AGENTS network device group make sure you have the new domain controllers listed.  Even though you can put more than 2 DCc in, it seems that ACS will only connect to a primary and a secondary.  You can set this by going to:

External User Databases -> Database Configuration -> Windows Database -> Configure -> Windows Remote Agent Selection.

BIG WARNING -> This WILL reset your Windows Authentication Settings.  When I did it, I basically had to set up ACS/Windows database mappings all over again, so make sure you took screen shots, backups etc.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35087804
Under network configuration I do not have the option for ACS_AGENTS. I think I might have a version that's incompatible with windows 2008. I am running Cisco ACS 4.2(0) I found there's a patch for windows 2008 that I migth need. Unfortunately I'm just running the trial software right now and it won't allow me to patch the trial.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 3

Accepted Solution

by:
VespaMaru earned 1600 total points
ID: 35087918
I think the Remote Agents are for the ACS Solution Engine and not for ACS for Windows.  Sorry about that.  Yes, 4.2.1 Is the version compatible with Windows 2008 Domain Controllers.
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 400 total points
ID: 35092908
ACS is supported on Windows Server 2008...

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Release_Notes/acs421_rn.html

I'm pretty sure you'd need to reinstall ACS, especially if you've raised your domain functional level.
Also, turn off IPv6 on your domain controllers.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35098335
I'm running ACS 4.2(0) not ACS 4.2.1. From this Cisco FAQ it's not supported on 4.2 without a patch which I can't install without a license key. Anyone know if there's a trial version of a version higher than 4.2(0) ?



http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080094bac.shtml

Q. Is ACS supported on Windows 2008 server platforms?

A. Yes. ACS is supported on Windows Server 2008, and is available from ACS 4.2 Patch 4 and later. Refer to the Windows and Active Directory 2008 Supported Scenarios section in Release Notes for Cisco Secure ACS 4.2 for more information.


0
 
LVL 1

Author Comment

by:jbla9028
ID: 35314480
sorry I haven't posted. We purchased ACS and got the 4.2.1 to work without the win 2000 DC. I'd like to award points for the solution
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35314693
If you post a comment, pressing OBJECT instead of SUBMIT, the question will be available again for closing yourself.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35315992

Open in new window

0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 35316000
Upgrading to 4.2.1 I was able to get the ACS Server running! thanks!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question