I have recently installed an ACS server and deployed all of our routers and switches on to it. I am in the process of trying to get a few PIXs to authenticate to the ACS, but have run into a problem.
What I'd like to do is have the PIX authenticate against the ACS, however, if it cannot reach the ACS,within the timeout I specified, then authenticate against local credentials.
So first I verified I could authenticate against the local username and password with the following:
aaa authentication telnet console LOCAL
I can log in using my local username and password with no problem.
then I verify I could authenticate against the ACS server with the following
no aaa authentication telnet console LOCAL
aaa authentication telnet console (tacacs server group name)
I can log in using my LDAP credentials being passed through the ACS with no problem.
so now, I want to try to implement my failover: First try the tacacs server group, if the PIX cannot reach the ACS within the timeout, to then authenticate locally.
no aaa authentication telnet console (group name)
aaa authentication telnet console (group name) LOCAL
When the PIX can reach the ACS, I log in using LDAP credentials with no problem.
Then, I pull the plug on the ACS, I log in with local credentials after the expected time out.
Then, I plug the ACS back in. I try to log in using LDAP credentials - immediate fail, did not even wait for the timeout period.
I try the local credentials, and they work.
I know the ACS is still reachable, because I can authenticate from a switch on the same subnet using LDAP credentials.
To me it seems as though the PIX no longer tries to hit the server group I had specified, after it failed once and I do not know why.
Any help would be greatly appreciated.