Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17-11 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances Step 4Click Submit. Port Port for Management service. MAC Address MAC address for the instance. Description Description of the primary or secondary instance. Check Secondary Every (only applies for primary instance)Rate at which the primary instance sends a heartbeat status request to the secondary instance. The default value is 60 seconds. The minimum value is 30 seconds and the maximum value is 30 minutes. Statistics Polling Period (only applies for primary instance)Rate at which the primary instance polls the secondary instance for statistical and logging information. During each polling period, the primary server does not send any query to all the secondary servers, but, all ACS servers send their health information to the log collector server. The minimum value is 60 seconds and the maximum value is 30 minutes. However, you can specify a value of 0 which indicates to turn off polling and logging. As a result, the log collector server does not show any health status. The default value is 60 seconds. Enable Auto Activation for Newly Registered Instances (only applies for primary instance)Check this check box to automatically activate the registered secondary instance. Instance Status Status Indicates if the primary instance or secondary instance is online or offline. Version The current version of the ACS software. Replication Status (only applies for secondary instances)Replication status values are: UPDATED—Replication is complete on ACS instance. Both management and runtime services are current with configuration changes from the primary instance. PENDING—Request for full replication has been initiated. REPLICATING—Replication from the primary to the secondary is processing. DEREGISTERED—Deregistered the secondary instance from the primary. N/A—No replication on primary instance. Last Update Time (only applies for primary instance)Time stamp of the last database configuration change. The time stamp is in the form hh:mm dd:mm:yyyy. Last Replication Time (only applies for secondary instances)Time stamp of the last replication. The time stamp is in the form hh:mm dd:mm:yyyy. Last Replication ID (only applies for primary instance)Transaction ID that identifies the last configuration change on the secondary instances. This value increases by 1 for every configuration change. Valid values are 1 to infinity. Primary Replication ID (only applies for secondary instances)Transaction ID that identifies the last configuration change on the primary instance. This value increases by 1 for every configuration change. Valid values are 1 to infinity. Table 17-5 Distributed System Management Properties Page (continued) Option Description
17-12 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Editing Instances The Primary Instance table on the Distributed System Management page appears with the edited primary instance. Related Topics Replicating a Secondary Instance from a Primary Instance, page 17-18 Viewing and Editing a Secondary Instance, page 17-12 Viewing and Editing a Secondary Instance To edit a secondary instance: Step 1Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears with two tables: Primary Instance table—Shows the primary instance. Secondary Instances table—Shows a listing and the status of the secondary instances registered to the primary instance. See Ta b l e 1 7 - 4 to view column definitions. Step 2From the Secondary Instances table, click the secondary instances that you want to modify; or, check the check box for the Name and click Edit. Step 3Complete the fields in the Distributed System Management Properties page as described inTable 17-5. Step 4Click Submit. The Secondary Instances table on the Distributed System Management page appears with the edited secondary instance. Related Topics Editing Instances, page 17-8 Viewing and Editing a Primary Instance, page 17-8 Deleting a Secondary Instance To delete a secondary instance: Step 1Choose System Administration > Operations > Distributed System Management. The Secondary Instances table on the Distributed System Management page appears with a list of secondary instances. Step 2Deregister the secondary instance you wish to delete. Refer to Deregistering Secondary Instances from the Distributed System Management Page, page 17-16. Step 3Check one or more check boxes next to the secondary instances that you want to delete. Step 4Click Delete.
17-13 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Activating a Secondary Instance The following warning message appears: Are you sure you want to delete the selected item/items? Step 5Click OK. The Secondary Instances table on the Distributed System Management page appears without the deleted secondary instances. Activating a Secondary Instance To activate a secondary instance: Step 1Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears with two tables: Primary Instance table—Shows the primary instance. Secondary Instances table—Shows a listing and the status of the secondary instances registered to the primary instance. See the Table 17-4 to view column descriptions. Step 2From the Secondary Instances table, check the check box next to the secondary instances that you want to activate. Step 3Click Activate. Step 4The Secondary Instances table on the Distributed System Management page appears with the activated secondary instance. See the Table 17-5 for valid field options. Related Topics Viewing and Editing a Secondary Instance, page 17-12 Deleting a Secondary Instance, page 17-12 Replicating a Secondary Instance from a Primary Instance, page 17-18 Registering a Secondary Instance to a Primary Instance, page 17-13 Deregistering a Secondary Instance from the Deployment Operations Page, page 17-16 Promoting a Secondary Instance from the Distributed System Management Page, page 17-17 Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22 Registering a Secondary Instance to a Primary Instance To register a secondary instance to a primary instance: Step 1Log into the machine that will be used as a secondary Instance for another ACS server. Step 2Choose System Administration > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears, displaying the information described in Table 17-6:
17-14 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance .Table 17-6 System Operations: Deployment Operations Page Option Description Instance Status Current Status Identifies the instance of the node you log into as primary or secondary, and identifies whether you are running in local mode. Primary Instance Hostname of the primary instance. Primary IP IP address of the primary instance. Registration (only active for an instance not running in Local Mode) Primary Instance Hostname of the primary server that you wish to register with the secondary instance. Admin Username Username of an administrator account. Admin Password Password for the administrator’s account. Hardware Replacement Check to enable a new or existing ACS instance hardware to re-register to a primary instance and acquire the existing configuration already present in the primary instance. This is useful when an instance fails and needs physical replacement. Recovery Keyword Name of the instance that is to be replaced. This value is the hostname of the system that is being replaced. After you submit this information, this instance connects to the primary instance. The primary instance finds the associated ACS instance records based on the keyword, and marks each record as registered. Register to Primary Connects to the remote primary and registers the secondary instance to the primary instance. Backup Backup Backs up the current instance. Local Mode Admin Username Username of an administrator account. Admin Password Password for the administrators account. Reconnect This option appears only on the local mode node and prompts you for credentials.Click Reconnect to reconnect to the primary instance. Once you reconnect to the primary instance, you lose the configuration changes that you have made to the local secondary instance. If you want to retain the configuration changes that you have made to the local secondary instance, you must: 1.Deregister the local secondary instance (this instance would become your new primary) 2.Deregister all the instances from the deployment. 3.Register all the instances to the new primary, whose configuration changes you want to retain. Request Local Mode This option appears only on a registered secondary page.Request to place the secondary instance in local mode. This enables administrators to make configuration changes only to this instance. Any changes made to the secondary instance are not automatically updated when you reconnect to the primary instance. You must manually enter your changes for the secondary instance.
17-15 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Registering a Secondary Instance to a Primary Instance Step 3Specify the appropriate values in the Registration Section. Step 4Click Register to Primary. The following warning message is displayed. This operation will register this ACS Instance as a secondary to the specified Primary Instance. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 5Click OK. The Secondary Instance is restarted automatically. The credentials and the configurations that you create on the primary instance are applied to the secondary instance. Step 6Register another ACS machine as secondary to the same deployment after the first secondary instance is up and running, successfully. Follow the same procedure to register all the secondary machines on the deployment. NoteMemory utilization of 90% is considered normal in the secondary instance if the log collector is running and the server is under heavy load. If Memory utilization increases beyond 90% and keeps increasing, it may be abnormal and needs to be analyzed. Deregistration Deregister from Primary Deregisters the secondary from the primary instance. The secondary instance retains the database configuration from when it was deregistered. All nodes are marked as deregistered and inactive, and the secondary instance becomes the primary instance. When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance. Promotion Promote to Primary Request to promote a secondary instance to primary instance. All updates to the current primary instance are stopped so that all replication updates can complete. The secondary instance gets primary control of the configuration when the replication updates complete. Replication Force Full Replication Replicates the primary instance’s database configuration for the secondary instance. When full replication is in progress on an instance, do not attempt to deregister that instance. Wait until the full replication is complete and the secondary instance is restarted before you deregister the secondary instance. Table 17-6 System Operations: Deployment Operations Page (continued) Option Description
17-16 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Deregistering Secondary Instances from the Distributed System Management Page Deregistering Secondary Instances from the Distributed System Management Page To deregister secondary instances from the Distributed System Management page: Step 1Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears. Step 2From the Secondary Instances table, check one of check boxes next to the secondary instances that you want to deregister. Step 3Click Deregister. The system displays the following warning message: This operation will deregister this server as a secondary with the primary server. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 4Click OK. Step 5Log into the ACS machine. Step 6Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears with the secondary instance deregistered from the primary instance. Related Topics Viewing and Editing a Secondary Instance, page 17-12 Deleting a Secondary Instance, page 17-12 Activating a Secondary Instance, page 17-13 Deregistering a Secondary Instance from the Deployment Operations Page, page 17-16 Promoting a Secondary Instance from the Distributed System Management Page, page 17-17 Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22 Deregistering a Secondary Instance from the Deployment Operations Page NoteIn this case, the secondary instance is the local machine you are logged in to. To deregister a secondary instance from the Deployment Operations page: Step 1Choose System Administration > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears with the secondary instance that you are logged in to. See Table 17-6 for valid field options. Step 2Click Deregister from Primary.
17-17 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Distributed System Management Page The system displays the following warning message: This operation will deregister this server as a secondary with the primary server. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 3Click OK. Step 4Log into the ACS machine. Step 5Choose System Administration > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears with the secondary instance you were logged in to deregistered from the primary instance. Related Topics Viewing and Editing a Secondary Instance, page 17-12 Deleting a Secondary Instance, page 17-12 Activating a Secondary Instance, page 17-13 Deregistering Secondary Instances from the Distributed System Management Page, page 17-16 Promoting a Secondary Instance from the Distributed System Management Page, page 17-17 Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22 Promoting a Secondary Instance from the Distributed System Management Page To promote a secondary instance to a primary instance from the Distributed System Management page: Step 1Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears. See Table 17-4 for valid field options. Step 2From the Secondary Instances table, check the box next to the secondary instance that you want to promote to a primary instance. Step 3Click Promote. The Distributed System Management page appears with the promoted instance. Related Topics Viewing and Editing a Secondary Instance, page 17-12 Deleting a Secondary Instance, page 17-12 Activating a Secondary Instance, page 17-13 Deregistering Secondary Instances from the Distributed System Management Page, page 17-16 Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22
17-18 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Promoting a Secondary Instance from the Deployment Operations Page Promoting a Secondary Instance from the Deployment Operations Page To promote a secondary instance to a primary instance from the Deployment Operations page: Step 1Choose System Administration > Operations > Distributed System Management. The Deployment Operations page appears. See the Table 17-6 for valid field options. Step 2Register the secondary instance to the primary instance. See Registering a Secondary Instance to a Primary Instance, page 17-13. Step 3Choose System Administration > Operations > Distributed System Management. The Deployment Operations page appears. Step 4Check the box next to the secondary instance that you want to promote to a primary instance. Step 5Click Promote to Primary. The Distributed System Management page appears with the promoted instance. Related Topics Viewing and Editing a Secondary Instance, page 17-12 Deleting a Secondary Instance, page 17-12 Replicating a Secondary Instance from a Primary Instance, page 17-18 Activating a Secondary Instance, page 17-13 Deregistering Secondary Instances from the Distributed System Management Page, page 17-16 Promoting a Secondary Instance from the Distributed System Management Page, page 17-17 Using the Deployment Operations Page to Create a Local Mode Instance, page 17-22 Replicating a Secondary Instance from a Primary Instance You can use two different pages to replicate a secondary instance: Replicating a Secondary Instance from the Distributed System Management Page Replicating a Secondary Instance from the Deployment Operations Page NoteFor more information on replication, see ACS 4.x and 5.3 Replication, page 1-2.
17-19 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance Replicating a Secondary Instance from the Distributed System Management Page NoteAll ACS appliances must be in sync with the AD domain clock. To replicate a secondary instance: Step 1Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears. Step 2From the Secondary Instances table, check one of check boxes next to the secondary instances that you want to replicate. Step 3Click Full Replication. The system displays the following warning message: This operation will force a full replication for this secondary server. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 4Click OK. Step 5Log into the ACS machine. Step 6Choose System Administration > Operations > Distributed System Management. The Distributed System Management page appears. On the Secondary Instance table, the Replication Status column shows UPDATED. Replication is complete on the secondary instance. Management and runtime services are current with configuration changes from the primary instance. Replicating a Secondary Instance from the Deployment Operations Page NoteAll ACS appliances must be in sync with the AD domain clock. To replicate a secondary instance: Step 1Choose System Administration > Operations > Local Operations > Deployment Operations. The Deployment Operations page appears. See the Table 17-6 for valid field options. Step 2Click Force Full Replication. The system displays the following warning message: This operation will force a full replication for this secondary server. ACS will be restarted. You will be required to login again. Do you wish to continue? Step 3Click OK. Step 4Log into the ACS machine. Step 5Choose System Administration > Operations > Distributed System Management.
17-20 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 17 Configuring System Operations Replicating a Secondary Instance from a Primary Instance The Distributed System Management page appears. On the Secondary Instance table, the Replication Status column shows UPDATED. Replication is complete on the secondary instance. Management and runtime services are current with configuration changes from the primary instance. Changing the IP address of a Primary Instance from the Primary Server To change the IP address of a primary ACS server: Step 1Log into the ACS primary webinterface and Choose System Administration > Operations > Distributed System Management to deregister all the secondary ACS instances from the primary ACS server. The Distributed System Management page is displayed. Step 2Check the check box near the secondary ACS instance one by one and click Deregister. Make sure that the log collector is running in the primary ACS server before deregistering all secondary ACS instances. If the log collecotor is running in any one of the secondary ACS server, change the log collector to the primary ACS server. To change the log collector, see Configuring the Log Collector, page 18-33. Step 3Check the checkboxes near the deregistered secondary ACS instances to delete all deregistered secondary ACS instances. The deregistered secondary ACS instances are deleted. Step 4Log into the ACS server in Admin mode by entering: acs-5-2-a/admin# conf t Step 5Enter the following commands: int g 0 ip address old ip address new ip address Step 6Press Ctrl z. The following warning message is displayed. Changing the hostname or IP may result in undesired side effects, such as installed application(s) being restarted.Are you sure you want to proceed? [y/n] Step 7Press y Step 8Access the primary ACS server using the administrator mode and the new IP address. Step 9Use the command show application status acs to check if all process are running properly. Step 10Register the secondary instances to the primary ACS server. See Registering a Secondary Instance to a Primary Instance, page 17-13