9-9
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 9 System Configuration: Advanced
CiscoSecure Database Replication
•A secondary Cisco Secure ACS receiving replicated components must be
configured to accept database replication from the primary Cisco Secure
ACS. To configure a secondary Cisco Secure ACS for database replication,
see Configuring a Secondary Cisco Secure ACS, page 9-17.
•Cisco Secure ACS does not support bidirectional database replication. The
secondary Cisco Secure ACS receiving the replicated components verifies
that the primary Cisco Secure ACS is not on its Replication list. If not, the
secondary Cisco Secure ACS accepts the replicated components. If so, it
rejects the components.
•If you replicate user accounts, be sure to name external database
configurations identically on primary and secondary Cisco Secure ACSes. A
replicated user account retains its association with the database assigned to
provide authentication or posture validation service, regardless of whether a
database configuration of the same name exists on the secondary
Cisco Secure ACS. For example, if user account is associated with a database
named “WestCoast LDAP” on the primary Cisco Secure ACS, the replicated
user account on all secondary Cisco Secure ACSes remains associated with
an external user database named “WestCoast LDAP” even if you have not
configured an LDAP database instance of that name.
•If you replicate NAC policies, secondary Cisco Secure ACSes associate
policies to NAC databases by the order in which the NAC databases were
created, not by the database name. For example, if the primary Cisco Secure
ACS has the following NAC database and policy configuration:
–
“NAC DB One” with “Policy One” selected.
–
“NAC DB Two” with “Policy Two” selected.
and if a secondary Cisco Secure ACS is configured first with a NAC database
named “NAC DB Two” and second with a NAC database named “NAC DB
One”, then the following policy selection results after replication occurs:
–
“NAC DB One” with “Policy Two” selected.
–
“NAC DB Two” with “Policy One” selected.
•To replicate user and group settings that use user-defined RADIUS vendor
and VSAs, you must manually add the user-defined RADIUS vendor and
VSA definitions on primary and secondary Cisco Secure ACSes, making sure
that the RADIUS vendor slots that the user-defined RADIUS vendors occupy
are identical on each Cisco Secure ACS. After you have done so, replication