aaa authentication on PIX failover

Unanswered Question

I have recently installed an ACS server and deployed all of our routers and switches on to it. I am in the process of trying to get a few PIXs to authenticate to the ACS, but have run into a problem.

What I'd like to do is have the PIX authenticate against the ACS, however, if it cannot reach the ACS,within the timeout I specified, then authenticate against local credentials.

So first I verified I could authenticate against the local username and password with the following:

aaa authentication telnet console LOCAL

I can log in using my local username and password with no problem.

then I verify I could authenticate against the ACS server with the following

no aaa authentication telnet console LOCAL

aaa authentication telnet console (tacacs server group name)

I can log in using my LDAP credentials being passed through the ACS with no problem.

so now, I want to try to implement my failover: First try the tacacs server group, if the PIX cannot reach the ACS within the timeout, to then authenticate locally.

no aaa authentication telnet console (group name)

aaa authentication telnet console (group name) LOCAL

When the PIX can reach the ACS, I log in using LDAP credentials with no problem.

Then, I pull the plug on the ACS, I log in with local credentials after the expected time out.

Then, I plug the ACS back in. I try to log in using LDAP credentials - immediate fail, did not even wait for the timeout period.

I try the local credentials, and they work.

I know the ACS is still reachable, because I can authenticate from a switch on the same subnet using LDAP credentials.

To me it seems as though the PIX no longer tries to hit the server group I had specified, after it failed once and I do not know why.

Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
magurwara Thu, 04/19/2007 - 07:13

Check if you have the radius-server deadtime interval set. This interval tells the device how long not to attempt with a radius server that was unavailable.

This is useful when you have multiple radius servers and you failover to another radius server should the first one is unavailable.

Without this interval configured, the device will always send request to the first configured radius server and then if not responding send the request to the second radius server after timeout or to another method if configured.

Actions

This Discussion