View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0099 - ACS 5.4 Distributed Deployment

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video demonstrates the process of setting up a distributed deployment on Cisco ACS 5.4. We will go through a secondary ACS registration, moving log collector role to a secondary ACS, failover testing, and promoting a secondary ACS to be a primary. Along the process, we will also verify MAR cache distribution that was configured in the previous labs, and note the caveat in the feature.
Topic:
  • ACS Distributed Deployment
  • Secondary ACS Registration
  • Log Collector Role Change
  • ACS Failover
  • Secondary ACS Promotion

Attention!! ACS 5.6 has Trust Communication enabled by default which requires both Primary and Backup nodes to have a certificate signed by a trusted CA before they will communicate. However, the Trust Communication can be disabled if desired. See link below for more detail.

Configuring Trust Communication in a Distributed Deployment

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

6 comments

Hi,
As I know the latest ACS 5.5 will support the MAR cache in file.

"MAR Cache Enhancements—ACS 5.5 stores the MAR cache content, calling-station-ID list, and the corresponding timestamps to a file on its local disk when you manually stop the ACS runtime services. ACS does not store the MAR cache entries of an instance when there is an accidental restart of its runtime services. When the ACS runtime services gets restarted, ACS reads the MAR cache entries from the file on its local disk based on the cache entry time to live. For more information on Distributed MAR Cache, see the User Guide for Cisco Secure Access Control System 5.5."

It sounds like the cache is only written to file when the service is manually stopped, and not continuously as sonn as there is a new cache entry. It would not be much use if the cache cannot survive a reload or power loss. A manual restart of the service does not happen that much in comparison after all.
Anyhow, thank you for sharing this.

Yes. good point.

How about ISE, does it support that?

Thanks for your replying.

I think ISE is even way behind on this. Cisco really needs to work on resolving this caching issue.

please show design/configuration for ACS 5.5 dispersed deployment using VM

Dispersed deployment is just another deployment model that tries to promote localize ACS with local AD integration. As far as the adding nodes to a deployement, the process is the same as shown in this video.