Home > Cisco > Control System > Cisco Acs 5x User Guide

Cisco Acs 5x User Guide

Download as PDF Print this page Share this page

Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

View all the pages

Add page 501 to Favourites

image text

Enable zoom

17-11
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Editing Instances
Step 4Click Submit. Port Port for Management service.
MAC Address MAC address for the instance.
Description Description of the primary or secondary instance.
Check Secondary Every
(only applies for primary
instance)Rate at which the primary instance sends a heartbeat status request to the secondary instance. The
default value is 60 seconds. The minimum value is 30 seconds and the maximum value is 30
minutes.
Statistics Polling Period
(only applies for primary
instance)Rate at which the primary instance polls the secondary instance for statistical and logging
information. During each polling period, the primary server does not send any query to all the
secondary servers, but, all ACS servers send their health information to the log collector server.
The minimum value is 60 seconds and the maximum value is 30 minutes. However, you can
specify a value of 0 which indicates to turn off polling and logging. As a result, the log collector
server does not show any health status. The default value is 60 seconds.
Enable Auto Activation
for Newly Registered
Instances (only applies
for primary instance)Check this check box to automatically activate the registered secondary instance.
Instance Status
Status Indicates if the primary instance or secondary instance is online or offline.
Version The current version of the ACS software.
Replication Status (only
applies for secondary
instances)Replication status values are:
UPDATED—Replication is complete on ACS instance. Both management and runtime
services are current with configuration changes from the primary instance.
PENDING—Request for full replication has been initiated.
REPLICATING—Replication from the primary to the secondary is processing.
DEREGISTERED—Deregistered the secondary instance from the primary.
N/A—No replication on primary instance.
Last Update Time (only
applies for primary
instance)Time stamp of the last database configuration change. The time stamp is in the form hh:mm
dd:mm:yyyy.
Last Replication Time
(only applies for
secondary instances)Time stamp of the last replication. The time stamp is in the form hh:mm dd:mm:yyyy.
Last Replication ID (only
applies for primary
instance)Transaction ID that identifies the last configuration change on the secondary instances. This value
increases by 1 for every configuration change. Valid values are 1 to infinity.
Primary Replication ID
(only applies for
secondary instances)Transaction ID that identifies the last configuration change on the primary instance. This value
increases by 1 for every configuration change. Valid values are 1 to infinity.
Table 17-5 Distributed System Management Properties Page (continued)
Option Description

Add page 502 to Favourites

image text

Enable zoom

17-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Editing Instances
The Primary Instance table on the Distributed System Management page appears with the edited primary
instance.
Related Topics
Replicating a Secondary Instance from a Primary Instance, page 17-18
Viewing and Editing a Secondary Instance, page 17-12
Viewing and Editing a Secondary Instance
To edit a secondary instance:
Step 1Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with two tables:
Primary Instance table—Shows the primary instance.
Secondary Instances table—Shows a listing and the status of the secondary instances registered to
the primary instance.
See Ta b l e 1 7 - 4 to view column definitions.
Step 2From the Secondary Instances table, click the secondary instances that you want to modify; or, check the
check box for the Name and click Edit.
Step 3Complete the fields in the Distributed System Management Properties page as described inTable 17-5.
Step 4Click Submit.
The Secondary Instances table on the Distributed System Management page appears with the edited
secondary instance.
Related Topics
Editing Instances, page 17-8
Viewing and Editing a Primary Instance, page 17-8
Deleting a Secondary Instance
To delete a secondary instance:
Step 1Choose System Administration > Operations > Distributed System Management.
The Secondary Instances table on the Distributed System Management page appears with a list of
secondary instances.
Step 2Deregister the secondary instance you wish to delete. Refer to Deregistering Secondary Instances from
the Distributed System Management Page, page 17-16.
Step 3Check one or more check boxes next to the secondary instances that you want to delete.
Step 4Click Delete.

Add page 503 to Favourites

image text

Enable zoom

17-13
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Activating a Secondary Instance
The following warning message appears:
Are you sure you want to delete the selected item/items?
Step 5Click OK.
The Secondary Instances table on the Distributed System Management page appears without the deleted
secondary instances.
Activating a Secondary Instance
To activate a secondary instance:
Step 1Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with two tables:
Primary Instance table—Shows the primary instance.
Secondary Instances table—Shows a listing and the status of the secondary instances registered to
the primary instance.
See the Table 17-4 to view column descriptions.
Step 2From the Secondary Instances table, check the check box next to the secondary instances that you want
to activate.
Step 3Click Activate.
Step 4The Secondary Instances table on the Distributed System Management page appears with the activated
secondary instance. See the Table 17-5 for valid field options.
Related Topics
Viewing and Editing a Secondary Instance, page 17-12
Deleting a Secondary Instance, page 17-12
Replicating a Secondary Instance from a Primary Instance, page 17-18
Registering a Secondary Instance to a Primary Instance, page 17-13
Deregistering a Secondary Instance from the Deployment Operations Page, page 17-16
Promoting a Secondary Instance from the Distributed System Management Page, page 17-17
Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22
Registering a Secondary Instance to a Primary Instance
To register a secondary instance to a primary instance:
Step 1Log into the machine that will be used as a secondary Instance for another ACS server.
Step 2Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears, displaying the information described in Table 17-6:

Add page 504 to Favourites

image text

Enable zoom

17-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Registering a Secondary Instance to a Primary Instance
.Table 17-6 System Operations: Deployment Operations Page
Option Description
Instance Status
Current Status Identifies the instance of the node you log into as primary or secondary, and identifies whether
you are running in local mode.
Primary Instance Hostname of the primary instance.
Primary IP IP address of the primary instance.
Registration (only active for an instance not running in Local Mode)
Primary Instance Hostname of the primary server that you wish to register with the secondary instance.
Admin Username Username of an administrator account.
Admin Password Password for the administrator’s account.
Hardware Replacement Check to enable a new or existing ACS instance hardware to re-register to a primary instance and
acquire the existing configuration already present in the primary instance. This is useful when an
instance fails and needs physical replacement.
Recovery Keyword Name of the instance that is to be replaced. This value is the hostname of the system that is being
replaced. After you submit this information, this instance connects to the primary instance.
The primary instance finds the associated ACS instance records based on the keyword, and marks
each record as registered.
Register to Primary Connects to the remote primary and registers the secondary instance to the primary instance.
Backup
Backup Backs up the current instance.
Local Mode
Admin Username Username of an administrator account.
Admin Password Password for the administrators account.
Reconnect
This option appears only
on the local mode node
and prompts you for
credentials.Click Reconnect to reconnect to the primary instance.
Once you reconnect to the primary instance, you lose the configuration changes that you have
made to the local secondary instance.
If you want to retain the configuration changes that you have made to the local secondary
instance, you must:
1.Deregister the local secondary instance (this instance would become your new primary)
2.Deregister all the instances from the deployment.
3.Register all the instances to the new primary, whose configuration changes you want to retain.
Request Local Mode
This option appears only
on a registered secondary
page.Request to place the secondary instance in local mode. This enables administrators to make
configuration changes only to this instance. Any changes made to the secondary instance are not
automatically updated when you reconnect to the primary instance. You must manually enter your
changes for the secondary instance.

Add page 505 to Favourites

image text

Enable zoom

17-15
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Registering a Secondary Instance to a Primary Instance
Step 3Specify the appropriate values in the Registration Section.
Step 4Click Register to Primary.
The following warning message is displayed.
This operation will register this ACS Instance as a secondary to the specified Primary
Instance. ACS will be restarted. You will be required to login again. Do you wish to
continue?
Step 5Click OK.
The Secondary Instance is restarted automatically.
The credentials and the configurations that you create on the primary instance are applied to the
secondary instance.
Step 6Register another ACS machine as secondary to the same deployment after the first secondary instance is
up and running, successfully. Follow the same procedure to register all the secondary machines on the
deployment.
NoteMemory utilization of 90% is considered normal in the secondary instance if the log collector is running
and the server is under heavy load. If Memory utilization increases beyond 90% and keeps increasing,
it may be abnormal and needs to be analyzed.
Deregistration
Deregister from Primary Deregisters the secondary from the primary instance. The secondary instance retains the database
configuration from when it was deregistered. All nodes are marked as deregistered and inactive,
and the secondary instance becomes the primary instance.
When full replication is in progress on an instance, do not attempt to deregister that instance. Wait
until the full replication is complete and the secondary instance is restarted before you deregister
the secondary instance.
Promotion
Promote to Primary Request to promote a secondary instance to primary instance. All updates to the current primary
instance are stopped so that all replication updates can complete. The secondary instance gets
primary control of the configuration when the replication updates complete.
Replication
Force Full Replication Replicates the primary instance’s database configuration for the secondary instance.
When full replication is in progress on an instance, do not attempt to deregister that instance. Wait
until the full replication is complete and the secondary instance is restarted before you deregister
the secondary instance.
Table 17-6 System Operations: Deployment Operations Page (continued)
Option Description

Add page 506 to Favourites

image text

Enable zoom

17-16
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Deregistering Secondary Instances from the Distributed System Management Page
Deregistering Secondary Instances from the Distributed System
Management Page
To deregister secondary instances from the Distributed System Management page:
Step 1Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
Step 2From the Secondary Instances table, check one of check boxes next to the secondary instances that you
want to deregister.
Step 3Click Deregister.
The system displays the following warning message:
This operation will deregister this server as a secondary with the primary server. ACS
will be restarted. You will be required to login again. Do you wish to continue?
Step 4Click OK.
Step 5Log into the ACS machine.
Step 6Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears with the secondary instance deregistered from the
primary instance.
Related Topics
Viewing and Editing a Secondary Instance, page 17-12
Deleting a Secondary Instance, page 17-12
Activating a Secondary Instance, page 17-13
Deregistering a Secondary Instance from the Deployment Operations Page, page 17-16
Promoting a Secondary Instance from the Distributed System Management Page, page 17-17
Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22
Deregistering a Secondary Instance from the Deployment
Operations Page
NoteIn this case, the secondary instance is the local machine you are logged in to.
To deregister a secondary instance from the Deployment Operations page:
Step 1Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears with the secondary instance that you are logged in to. See
Table 17-6 for valid field options.
Step 2Click Deregister from Primary.

Add page 507 to Favourites

image text

Enable zoom

17-17
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Promoting a Secondary Instance from the Distributed System Management Page
The system displays the following warning message:
This operation will deregister this server as a secondary with the primary server. ACS
will be restarted. You will be required to login again. Do you wish to continue?
Step 3Click OK.
Step 4Log into the ACS machine.
Step 5Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears with the secondary instance you were logged in to
deregistered from the primary instance.
Related Topics
Viewing and Editing a Secondary Instance, page 17-12
Deleting a Secondary Instance, page 17-12
Activating a Secondary Instance, page 17-13
Deregistering Secondary Instances from the Distributed System Management Page, page 17-16
Promoting a Secondary Instance from the Distributed System Management Page, page 17-17
Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22
Promoting a Secondary Instance from the Distributed System
Management Page
To promote a secondary instance to a primary instance from the Distributed System Management page:
Step 1Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears. See Table 17-4 for valid field options.
Step 2From the Secondary Instances table, check the box next to the secondary instance that you want to
promote to a primary instance.
Step 3Click Promote.
The Distributed System Management page appears with the promoted instance.
Related Topics
Viewing and Editing a Secondary Instance, page 17-12
Deleting a Secondary Instance, page 17-12
Activating a Secondary Instance, page 17-13
Deregistering Secondary Instances from the Distributed System Management Page, page 17-16
Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22

Add page 508 to Favourites

image text

Enable zoom

17-18
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Promoting a Secondary Instance from the Deployment Operations Page
Promoting a Secondary Instance from the Deployment
Operations Page
To promote a secondary instance to a primary instance from the Deployment Operations page:
Step 1Choose System Administration > Operations > Distributed System Management.
The Deployment Operations page appears. See the Table 17-6 for valid field options.
Step 2Register the secondary instance to the primary instance. See Registering a Secondary Instance to a
Primary Instance, page 17-13.
Step 3Choose System Administration > Operations > Distributed System Management.
The Deployment Operations page appears.
Step 4Check the box next to the secondary instance that you want to promote to a primary instance.
Step 5Click Promote to Primary.
The Distributed System Management page appears with the promoted instance.
Related Topics
Viewing and Editing a Secondary Instance, page 17-12
Deleting a Secondary Instance, page 17-12
Replicating a Secondary Instance from a Primary Instance, page 17-18
Activating a Secondary Instance, page 17-13
Deregistering Secondary Instances from the Distributed System Management Page, page 17-16
Promoting a Secondary Instance from the Distributed System Management Page, page 17-17
Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22
Replicating a Secondary Instance from a Primary Instance
You can use two different pages to replicate a secondary instance:
Replicating a Secondary Instance from the Distributed System Management Page
Replicating a Secondary Instance from the Deployment Operations Page
NoteFor more information on replication, see ACS 4.x and 5.3 Replication, page 1-2.

Add page 509 to Favourites

image text

Enable zoom

17-19
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Replicating a Secondary Instance from a Primary Instance
Replicating a Secondary Instance from the Distributed System Management
Page
NoteAll ACS appliances must be in sync with the AD domain clock.
To replicate a secondary instance:
Step 1Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears.
Step 2From the Secondary Instances table, check one of check boxes next to the secondary instances that you
want to replicate.
Step 3Click Full Replication.
The system displays the following warning message:
This operation will force a full replication for this secondary server. ACS will be
restarted. You will be required to login again. Do you wish to continue?
Step 4Click OK.
Step 5Log into the ACS machine.
Step 6Choose System Administration > Operations > Distributed System Management.
The Distributed System Management page appears. On the Secondary Instance table, the Replication
Status column shows UPDATED. Replication is complete on the secondary instance. Management and
runtime services are current with configuration changes from the primary instance.
Replicating a Secondary Instance from the Deployment Operations Page
NoteAll ACS appliances must be in sync with the AD domain clock.
To replicate a secondary instance:
Step 1Choose System Administration > Operations > Local Operations > Deployment Operations.
The Deployment Operations page appears. See the Table 17-6 for valid field options.
Step 2Click Force Full Replication.
The system displays the following warning message:
This operation will force a full replication for this secondary server. ACS will be
restarted. You will be required to login again. Do you wish to continue?
Step 3Click OK.
Step 4Log into the ACS machine.
Step 5Choose System Administration > Operations > Distributed System Management.

Add page 510 to Favourites

image text

Enable zoom

17-20
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 17 Configuring System Operations
Replicating a Secondary Instance from a Primary Instance
The Distributed System Management page appears. On the Secondary Instance table, the Replication
Status column shows UPDATED. Replication is complete on the secondary instance. Management and
runtime services are current with configuration changes from the primary instance.
Changing the IP address of a Primary Instance from the Primary Server
To change the IP address of a primary ACS server:
Step 1Log into the ACS primary webinterface and Choose System Administration > Operations >
Distributed System Management to deregister all the secondary ACS instances from the primary ACS
server.
The Distributed System Management page is displayed.
Step 2Check the check box near the secondary ACS instance one by one and click Deregister.
Make sure that the log collector is running in the primary ACS server before deregistering all secondary
ACS instances. If the log collecotor is running in any one of the secondary ACS server, change the log
collector to the primary ACS server.
To change the log collector, see Configuring the Log Collector, page 18-33.
Step 3Check the checkboxes near the deregistered secondary ACS instances to delete all deregistered
secondary ACS instances.
The deregistered secondary ACS instances are deleted.
Step 4Log into the ACS server in Admin mode by entering:
acs-5-2-a/admin# conf t
Step 5Enter the following commands:
int g 0
ip address
old ip address new ip address
Step 6Press Ctrl z.
The following warning message is displayed.
Changing the hostname or IP may result in undesired side effects, such as installed
application(s) being restarted.Are you sure you want to proceed? [y/n]
Step 7Press y
Step 8Access the primary ACS server using the administrator mode and the new IP address.
Step 9Use the command show application status acs to check if all process are running properly.
Step 10Register the secondary instances to the primary ACS server.
See Registering a Secondary Instance to a Primary Instance, page 17-13

All Cisco manuals Comments (0)

Related Manuals for Cisco Acs 5x User Guide

Cisco Acs 57 User Guide
584 pages | Cisco Control System