Cisco ACS 5.x – setting up a replication

Ok, so far we have two installations of the ACS 5.x. The only thing we changed after installation is installing trusted certificates. At this point both servers are acting as a primary instances. What does this mean?

Well, we can have a distributed model in which one installation is acting as a primary instance and one or more installation(s) acting as a secondary instances. The main idea behind this is that we could have several ACSs geographycaly separated so that, for example users in our Europe offices get authenticated to an ACS server located, say, in Wienna. Similary, our US users can be authenticated to ACSs located in New York, Huston or Los Angeles. That way the authentication process is faster. But at the same time we don’t want some change to be made on all of our ACS servers. That’s where this distributed model comes into play. We have only one primary instance on which we make changes, and we have other instances receive these changes.

With regard to number of primaries, there can be only one. But what about secondaries? That depends on the ACS version and licenses. Version 5.3, for example has a “1+9” model, meaning that there is one primary and up to none secondaries for a total of ten ACS installations. In version 5.4 we have “1+12” or “1+20” models, depending on a license. Whatever model we have the principal is the same: we make a change only on a primary instance and this change gets replicated to all secondaries. It’s worth noting that this replication is change based or incremenatal, which means that only changes get replicated. This is in contrast to version 4.x where a full replication was triggered by any change we make.

Setting up the replication in 5.x version is very simple task. In version 4.x you had to match what you are sending from primary to that what secondary should accept. And you had to know and decide which components of the ACS database you want to replicate. With  the 5.x it’s really very easy proces. On the future secondary instance (remember that at this time both our instances are primary instances!) we issue a request to the primary instance. Then on the primary instance we accept this request and we have primary-secondary relationship. It’s that easy!

So, let’s do that…

We want our “ACS52” instance to become a secondary. Under the “System Administration->Operations->Local Operations->Deployment Operations”, we fill in the required parameters and click “Register to Primary”:

1-20-2013 4-40-18 PM

The information popup appears:

1-20-2013 4-44-08 PM

Now depending on how the primary instance is set up, the replication registration request may be granted automatically or we may need to approve this request manually. The default is to approve the request automatically. But before we check the replication status, one thing I would like to point out. If we used the same PAK numbers on both instances, we will receive the error:

“This System Failure occurred: server cannot be addedd to the deployment. Server has same License ID as server ‘acs51’ that already exists in the deployment. Your changes have not been saved. Click OK to return to the list page.”

My license type is such that a change/upgrade was not possible, so the only way I could think of was reinstalling the “acs52” and apply different license ID. So be carefull!

When we send a request from a secondary-to-be instance, we will be logged out and a status on the loggin page will show:

ACS replication 2

On the primary replica, this replication status is in pending state. This can be viewed under the “System Administration->Operations->Distributed System Management” pane:

acs2 replica pending

After a while, the replication will trigger and we will see a different and expected replication status:

acs2 replica updated

And now we have our “Primary-Secondary” relationship.

Thanks for following up!

This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, Cisco and tagged , , , , . Bookmark the permalink.

12 Responses to Cisco ACS 5.x – setting up a replication

  1. Abdul says:

    while registering a primary instance with other primary instance for Primary / Secondary setup, does the primary instance which is about to register as a secondary instance need to be reconfigured or the existing configurations will be still available after the synchronization?

    in other terms does the secondary instance configuration overwrite with the primary instance configuration?

    please confirm


    • Sasa says:

      The configuration of the secondary will remain the same (IP settings, name, admin password, …). You will, however, lose your database content (local groups, users, devices, …) because the database will be overwritten with the database from the primary instance.

  2. musa says:

    do we need o configure the clients with primary and secondary servers in case of failure or it will be handled by ACS cluster itself.

    • Sasa says:

      You have to list all of them in desired order.

      • musa says:

        Thank you for the response.

        I have to add both the ACS servers on the client, right.

      • Sasa says:

        That’s correct. But you don’t have to add them in order primary-secondary. You can make some sort of load balancing by specifying pri-sec order for some clients and sec-pri for others, but you must list them both on each client.

  3. musa says:

    Thank you very much SASA

  4. yudi bagan says:

    Dear Sosa

    Currently we have Cisco ACS 1121 ver 5.2 in our production , then we will replace with the new appliances using SNS 3425 ver 5.6 ,

    Please kindly help can provide information how to restore all of the old devices (ACS 1121 ver 5.2) configuration to the new ones ?

    • Sasa says:

      More about this can be found here.

      Basically, you have to go to 5.4 or 5.5 first, and then using this document, to 5.6.

      • yudi bagan says:

        Dear Sasa,

        I went to the document , but it looks like upgrade in one devices. My scenario is cut off the old devices (ACS 1121) with new ones ( SNS 3425 ver 5.6), for new devices i have add license then setting the basic config (hostname, ip) with similar with old one..

        or can i just restore the config from old to new?

  5. yudi bagan says:

    By the way thanks a alot for the information

  6. Abhinav Vashistha says:

    My primary ACS is in production so do I need downtime to register ACS to primary instance? Means is there impact on primary instance while registering new ACS to primary.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s