Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 17-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 17 Configuring System Operations You can configure and deploy ACS instances so that one ACS instance becomes the primary instance and the other ACS instances can be registered to the primary as secondary instances. An ACS instance represents ACS software that runs on a network. An ACS deployment may consist of a single instance, or multiple instances deployed in a distributed manner, where all instances in a system are managed centrally. All instances in a system will have an identical configuration. Use the Distributed System Management page to manage all the instances in a deployment. You can only manage instances from the primary instance. You can invoke the Deployment Operations page from any instance in the deployment but it only controls the operations on the local server. NoteYou can register any primary instance or any secondary instance to another primary instance; however, the primary instance you wish to register cannot have any secondary instances registered to it. The primary instance, created as part of the installation process, centralizes the configuration of the registered secondary instances. Configuration changes made in the primary instance are automatically replicated to the secondary instance. You can force a full replication to the secondary instance if configuration changes do not replicate to the secondary instance. This chapter contains: Understanding Distributed Deployment, page 17-2 Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Restore, page 17-8 Editing Instances, page 17-8 Activating a Secondary Instance, page 17-13 Registering a Secondary Instance to a Primary Instance, page 17-13 Deregistering Secondary Instances from the Distributed System Management Page, page 17-16 Deregistering a Secondary Instance from the Deployment Operations Page, page 17-16 Changing the IP address of a Primary Instance from the Primary Server, page 17-20 Failover, page 17-21 Promoting a Secondary Instance from the Distributed System Management Page, page 17-17 Replicating a Secondary Instance from a Primary Instance, page 17-18 Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22
17-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Distributed Deployment You can configure multiple ACS servers in a deployment. Within any deployment, you designate one server as the primary server and all the other servers are secondary servers. In general, you make configuration changes on the primary server only, and the changes are propagated to all secondary servers, which can then view the configuration data as read-only data. A small number of configuration changes can be performed on a secondary server, including configuration of the server certificate, and these changes remain local to the server. There is no communication between the secondary servers. Communication happens only between the primary server and the secondary servers. The secondary servers do not know the status of the other secondaries in their deployment. ACS allows you to deploy an ACS instance behind a firewall. Table 17-1 lists the ports that must be open on the firewall for you to access ACS through the various management interfaces. NoteYou cannot Translate Network Address between the nodes in distributed deployment. The Distributed System Management page can be used to monitor the status of the servers in a deployment and perform operations on the servers. Table 17-1 Ports to Open in Firewalls Service Port ACS Web Interface/Web Service 443 Database replication TCP 2638 RADIUS server 1812 and 1645 (RADIUS authentication and authorization) 1813 and 1646 (RADIUS accounting) If your RADIUS server uses port 1812, ensure that your PIX firewall software is version 6.0 or later. Then, run the following command to use port 1812: aaa-server radius-authport 1812 Replication over the Message Bus TCP 61616 RMI TCP 2020 (for RMI registry service) TCP 2030 (for incoming calls) SNMP (for request) UDP 161 SNMP (for notifications) UDP 162 SSH 22 TA C A C S + s e r v e r T C P 4 9 View Collector UDP 20514
17-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment NoteACS 5.3 does not support the large deployment with more than ten ACS instances (one primary and nine secondaries). For more information on ACS server deployments, see: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/gui de/csacs_deploy.html. Related Topics Activating Secondary Servers, page 17-3 Removing Secondary Servers, page 17-3 Promoting a Secondary Server, page 17-4 Understanding Local Mode, page 17-4 Understanding Full Replication, page 17-5 Specifying a Hardware Replacement, page 17-5 Activating Secondary Servers To add a server to a deployment: Step 1From the secondary server, issue a request to register on the primary server by selecting the Deployment Operations option. Step 2Activate the secondary instance on the primary server. You must activate the secondary instance on the primary instance in order for the secondary instance to receive configuration information; this provides a mechanism of admission control. However, there is an option to automatically activate newly added secondary instances, rather than performing a manual activation request. Related Topics Removing Secondary Servers, page 17-3 Promoting a Secondary Server, page 17-4 Understanding Local Mode, page 17-4 Understanding Full Replication, page 17-5 Specifying a Hardware Replacement, page 17-5 Removing Secondary Servers To permanently removed a secondary server from a deployment, you must first deregister the secondary server and then delete it from the primary. You can make the request to deregister a server from either the secondary server to be deregistered or from the primary server. Related Topics Activating Secondary Servers, page 17-3
17-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Distributed Deployment, page 17-2 Promoting a Secondary Server There can be one server only that is functioning as the primary server. However, you can promote a secondary server so that is assumes the primary role for all servers in the deployment. The promotion operation is performed either on the secondary server that is to assume the primary role or on the primary server. NoteWhen the primary server is down, do not simultaneously promote two secondary servers. Related Topics Activating Secondary Servers, page 17-3 Removing Secondary Servers, page 17-3 Understanding Local Mode, page 17-4 Understanding Full Replication, page 17-5 Understanding Local Mode You can use the local mode option: If the primary server is unreachable from a secondary server (for example, there is a network disconnection) and a configuration change must be made to a secondary server, you can specify that the secondary server go into Local Mode. If you want to perform some configuration changes on a trial basis that would apply to only one server and not impact all the servers in your deployment, you can specify that one of your secondary servers go into Local Mode. In Local Mode, you can make changes to a single ACS instance through the local web interface, and the changes take effect on that instance only. The Configuration Audit Report available in the Monitoring & Report Viewer has an option to report only those configuration changes that were made in the local mode. You can generate this report to record the changes that you made to the secondary server in Local Mode. For more information on reports and how to generate them from ACS, see Chapter 13, “Managing Reports”. When the connection to the primary server resumes, you can reconnect the disconnected secondary instance in Local Mode to the primary server. From the secondary instance in Local Mode, you specify the Admin username and password to reconnect to the primary instance. All configuration changes made while the secondary server was in Local Mode are lost. Related Topics Activating Secondary Servers, page 17-3 Understanding Full Replication, page 17-5
17-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Understanding Distributed Deployment Understanding Full Replication Under normal circumstances, each configuration change is propagated to all secondary instances. Unlike ACS 4.x where full replication was performed, in ACS 5.3, only the specific changes are propagated. As configuration changes are performed, the administrator can monitor (on the Distributed System Management page) the status of the replication and the last replication ID to ensure the secondary server is up to date. If configuration changes are not being replicated as expected, the administrator can request a full replication to the server. When you request full replication, the full set of configuration data is transferred to the secondary server to ensure the configuration data on the secondary server is re synchronized. The primary ACS transmits the compressed, encrypted copy of its database components to the secondary ACS. NoteReplication on the Message Bus happens over TCP port 61616. Full replication happens over the Sybase DB TCP port 2638. Related Topics Activating Secondary Servers, page 17-3 Promoting a Secondary Server, page 17-4 Understanding Local Mode, page 17-4 Specifying a Hardware Replacement You can perform a hardware replacement to allow new or existing ACS instance hardware to re-register to a primary server and take over an existing configuration already present in the primary server. This is useful when an ACS instance fails and needs physical replacement. To perform the hardware replacement Step 1From the web interface of the primary instance, you must mark the server to be replaced as deregistered. Step 2From the secondary server, register to the primary server. In addition to the standard admin credentials for connecting to the primary server (username/password), you must specify the replacement keyword used to identify the configuration in the primary server. The keyword is the hostname of the instance that is to be replaced. Step 3You must active the secondary server on the primary, either automatically or by issuing a manual request. Related Topics Viewing and Editing a Primary Instance, page 17-8 Viewing and Editing a Secondary Instance, page 17-12 Activating a Secondary Instance, page 17-13 Registering a Secondary Instance to a Primary Instance, page 17-13 Deregistering Secondary Instances from the Distributed System Management Page, page 17-16 Promoting a Secondary Instance from the Distributed System Management Page, page 17-17
17-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Scheduled Backups Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22 Scheduled Backups You can schedule backups to be run at periodic intervals. You can schedule backups from the primary web interface or through the local CLI. The Scheduled Backups feature backs up ACS configuration data. You can back up data from an earlier version of ACS and restore it to a later version. Refer to the Installation and Setup Guide for Cisco Secure Access Control System 5.3 for more information on upgrading ACS to later versions. Related Topic Creating, Duplicating, and Editing Scheduled Backups, page 17-6 Creating, Duplicating, and Editing Scheduled Backups You can create a scheduled backup only for the primary instance. To create, duplicate, or edit a scheduled backup: Step 1Choose System Administration > Operations > Scheduled Backups. The Scheduled Backups page appears. Table 17-2 describes the fields listed in the Scheduled Backups page. Table 17-2 Scheduled Backups Page Option Description Backup Data Filename created by backup includes a time stamp and file type information appended to the prefix entered Filename Prefix Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg. NoteIn ACS web interface, you cannot configure utf-8 characters for a backup filename and a repository name. Repository Click Select to open the Software Update and Backup Repositories dialog box, from which you can select the appropriate repository in which to store the backup file. Schedule Options Time of Day Choose the time of the day at which you want ACS to back up the ACS configuration data. Backups can be scheduled on a daily, weekly, or monthly basis. Daily—Choose this option for ACS to back up the ACS configuration data at the specified time every day. Weekly—Choose this option and specify the day of the week on which you want ACS to back up the ACS configuration data every week. Monthly—Choose this option and specify the day of the month on which you want ACS to back up the ACS configuration data every month.
17-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Backing Up Primary and Secondary Instances Step 2Click Submit to schedule the backup. Related Topic Backing Up Primary and Secondary Instances, page 17-7 Backing Up Primary and Secondary Instances ACS provides you the option to back up the primary and secondary instances at any time apart from the regular scheduled backups. For a primary instance, you can back up the following: ACS configuration data only ACS configuration data and ADE-OS configuration data NoteFor secondary instances, ACS only backs up the ADE-OS configuration data. To run an immediate backup: Step 1Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears. Step 2From the Primary Instance table or the Secondary Instances table, select the instance that you want to back up. You can select only one primary instance, but many secondary instances for a backup. Step 3Click Backup. The Distributed System Management - Backup page appears with the fields described in Table 17-3. Table 17-3 Distributed System Management - Backup Page Option Description Backup Data Filename created by backup includes a time stamp and file type information appended to the prefix entered Filename Prefix Enter a filename prefix to which ACS appends the backup time stamp. For example, if you enter ACSBackup as the filename prefix and backup is run on June 05, 2009 at 20:37 hours, then ACS creates the backup file ACSBackup-090506-2037.tar.gpg. NoteIn ACS web interface, you cannot configure utf-8 characters for a backup filename and a repository name. Repository Click Select to open the Software Update and Backup Repositories dialog box, from which you can select the appropriate repository in which to store the backup file. Backup Options (only applicable for primary instances) ACS Configuration Backup Click this option if you want to back up only the ACS configuration data. ACS Configuration and ADE-OS Backup Click this option if you want to back up both the ACS configuration data and the ADE-OS configuration data.
17-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Synchronizing Primary and Secondary Instances After Backup and Restore Step 4Click Submit to run the backup immediately. Related Topic Scheduled Backups, page 17-6 Synchronizing Primary and Secondary Instances After Backup and Restore When you specify that a system backup is restored on a primary instance, the secondary instance is not updated to the newly restored database that is present on the primary instance. To make sure the secondary instance is updated, from the secondary instance, you need to request a hardware replacement to rejoin the restored primary instance. To do this: Step 1Deregister the secondary instance from the primary instance. Step 2From the web interface of the secondary instance, choose Systems Administration > Operations > Local Operations > Deployment Operations, then click Deregister from Primary. Step 3Choose Systems Administration > Operations > Local Operations > Deployment Operations; This allows you to perform the hardware replacement of the secondary instance to the primary instance again Step 4Specify the primary hostname or IP address and the admin credential, Step 5Select Hardware Replacement and specify the hostname of the secondary instance, Step 6Click Register to Primary. Editing Instances When you Choose System Administration > Operations > Distributed System Management, you can edit either the primary or secondary instance. You can take a backup of primary and secondary instances. The Distributed System Management page allows you to do the following: Viewing and Editing a Primary Instance, page 17-8 Viewing and Editing a Secondary Instance, page 17-12 Backing Up Primary and Secondary Instances, page 17-7 Synchronizing Primary and Secondary Instances After Backup and Restore, page 17-8 Viewing and Editing a Primary Instance To edit a primary instance: Step 1Choose System Administration > Operations > Distributed System Management.
17-9 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Distributed System Management page appears with two tables: Primary Instance table—Shows the primary instance. The primary instance is created as part of the installation process. Secondary Instances table—Shows a listing and the status of the secondary instances. See Vi ew i n g and Editing a Secondary Instance, page 17-12 for more information. The Distributed System Management Page displays the information described in Table 17-4: Table 17-4 Distributed System Management Page Option Description Primary Instance Name Hostname of the primary instance. IP Address IP address of the primary instance. Online Status Indicates if the primary instance is online or offline. A check mark indicates that the primary instance is online; x indicates that the primary instance is offline. Replication ID The transaction ID that identifies the last configuration change on the primary instance. This value increases by 1 for every configuration change. Valid values are 1 to infinity. Last Update Time stamp of the last database configuration change. The time stamp is in the form hh:mm dd:mm:yyyy. Version Current version of the ACS software running on the primary ACS instance. Valid values can be the version string or, if a software upgrade is initiated, Upgrade in progress. Description Description of the primary instance. Edit Select the primary instance and click this button to edit the primary instance. Backup Select the primary instance and click this button to back up the primary instance. See Backing Up Primary and Secondary Instances, page 17-7 for more information. Secondary Instances Name Hostname of the secondary instance. IP Address IP address of the secondary instance. Online Status Indicates if the secondary instance is online or offline. A check mark indicates that the secondary instance is online; x indicates that the secondary instance is offline. Replication Status Replication status values are: UPDATED—Replication is complete on the secondary instance. Both Management and Runtime services are current with configuration changes from the primary instance. PENDING—Request for full replication has been initiated or the configuration changes made on the primary have not yet been propagated to the secondary. REPLICATING—Replication from the primary to the secondary is processing. LOCAL MODE—The secondary instance does not receive replication updates from the deployment and maintains its own local configuration. DEREGISTERED—The secondary instance is deregistered from the primary instance and is not part of the deployment. INACTIVE—The secondary instance is inactive. You must select this instance and click Activate to activate this instance. N/A—No replication on primary instance.
17-10 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 2From the Primary Instance table, click the primary instance that you want to modify, or check the Name check box and click Edit. Step 3Complete the fields in the Distributed System Management Properties page as described inTable 17-5: Replication Time Time stamp of the last replication. The time stamp is in the form hh:mm dd:mm:yyyy. Version Current version of the ACS software running on the secondary ACS instance. Valid values can be the version string or, if a software upgrade is initiated, Upgrade in progress. Description Description of the secondary instance. Edit Select the secondary instance that you want to edit and click this button to edit it. Delete Select the secondary instance that you want to delete and click this button to delete it. Activate If the option to auto-activate the newly registered secondary instance is disabled, the secondary is initially placed in the inactive state. Click Activate to activate these inactive secondary instances. Deregister 1Disconnects the secondary instance from the primary instance. Stops the secondary instance from receiving configuration updates from the primary instance. Deregistration restarts the deregistered node. When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance. Promote Requests to promote a secondary instance to the primary instance. All updates to the current primary instance are stopped so that all replication updates can complete. The secondary instance gets primary control of the configuration when the replication updates complete. The secondary instance must be active before you can promote it to the primary instance. Full Replication Replicates the primary instance’s database configuration for the secondary instance. ACS is restarted. When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance. Backup Select the secondary instance that you want to back up and click this button to take a backup. See Backing Up Primary and Secondary Instances, page 17-7 for more information. 1. Deregistration restarts the deregistered node, but does not restart ACS. Registration and Full Replication restart ACS because the database is replaced. Table 17-5 Distributed System Management Properties Page Option Description Instance Data Hostname Name of the ACS host machine. Launch Session for Local GUI Click this button to launch a new instance of the selected ACS machine. You are required to log in to the primary or secondary instance. This option appears only when you view or edit another instance. Role Specifies a primary or secondary instance or Local. IP Address IP address of the primary or secondary instance. Table 17-4 Distributed System Management Page (continued) Option Description