Solved

CiscoACS stops after shutting down Domain Controller.

Posted on 2011-03-09
11
1,423 Views
Last Modified: 2012-05-11
I have a server running CiscoACS 4.2 on windows 2003. I have 5 domain controllers. I have been working to upgrade our domain  functional level and I finally got to the point where I wanted to shutdown my last win2k domain controllers. I have 4 domain controllers at the main site (2) win2k8R2 and (2) Win2k. I shut down the 2 win2k servers today and all of a sudden Cisco ACS stopped working. I use ACS to authenticate using TACACS+ on my Cisco ASA and for my VPN clients to authenticate to the windows domain. I know my domain is fine, I can log in and authenticate with windows clients after the 2 win2k servers are shut down. The really weird thing is that I can authenticate 1 time after the CSAuth service is restarted and then all attempts fail afterwards. I go ahead and turn one of the win2k DCs back on and Authentication works again!

I am not using LDAP within the ciscoACS server. I am using a "windows database" I'm assuming it's just trying to find "Domain.COM" not just this domain controller by name?

right now my domain is in windows 2000 functional level. I was told others have installed this within a domain that is a win2k8 functional-level so I'm assuming it's not a win2k8 ADS issue? any help would be appreciated!!
0
Comment
Question by:jbla9028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 1

Author Comment

by:jbla9028
ID: 35087095
Sorry I forgot to mention that I have a 2nd site with 2 domain controllers there. I actually have (6) domain controllers
Site A (site where CiscoACS is installed) 4 - (2) win2k + 2 (win2k8R2)
Site B 2 - (2) Win2k3

0
 
LVL 3

Expert Comment

by:VespaMaru
ID: 35087779
Were your primary and secondary ACS Remote Agents on those domain controllers? It could be that.

Under Network Configuration -> ACS_AGENTS network device group make sure you have the new domain controllers listed.  Even though you can put more than 2 DCc in, it seems that ACS will only connect to a primary and a secondary.  You can set this by going to:

External User Databases -> Database Configuration -> Windows Database -> Configure -> Windows Remote Agent Selection.

BIG WARNING -> This WILL reset your Windows Authentication Settings.  When I did it, I basically had to set up ACS/Windows database mappings all over again, so make sure you took screen shots, backups etc.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35087804
Under network configuration I do not have the option for ACS_AGENTS. I think I might have a version that's incompatible with windows 2008. I am running Cisco ACS 4.2(0) I found there's a patch for windows 2008 that I migth need. Unfortunately I'm just running the trial software right now and it won't allow me to patch the trial.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 3

Accepted Solution

by:
VespaMaru earned 400 total points
ID: 35087918
I think the Remote Agents are for the ACS Solution Engine and not for ACS for Windows.  Sorry about that.  Yes, 4.2.1 Is the version compatible with Windows 2008 Domain Controllers.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 100 total points
ID: 35092908
ACS is supported on Windows Server 2008...

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Release_Notes/acs421_rn.html

I'm pretty sure you'd need to reinstall ACS, especially if you've raised your domain functional level.
Also, turn off IPv6 on your domain controllers.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35098335
I'm running ACS 4.2(0) not ACS 4.2.1. From this Cisco FAQ it's not supported on 4.2 without a patch which I can't install without a license key. Anyone know if there's a trial version of a version higher than 4.2(0) ?



http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080094bac.shtml

Q. Is ACS supported on Windows 2008 server platforms?

A. Yes. ACS is supported on Windows Server 2008, and is available from ACS 4.2 Patch 4 and later. Refer to the Windows and Active Directory 2008 Supported Scenarios section in Release Notes for Cisco Secure ACS 4.2 for more information.


0
 
LVL 1

Author Comment

by:jbla9028
ID: 35314480
sorry I haven't posted. We purchased ACS and got the 4.2.1 to work without the win 2000 DC. I'd like to award points for the solution
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 35314693
If you post a comment, pressing OBJECT instead of SUBMIT, the question will be available again for closing yourself.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 35315992

Open in new window

0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 35316000
Upgrading to 4.2.1 I was able to get the ACS Server running! thanks!
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month3 days, 13 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question