Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
2
Replies

aaa authentication on PIX failover

hegleran
Level 1
Level 1

‎04-12-2007 06:48 AM - edited ‎03-10-2019 03:05 PM

I have recently installed an ACS server and deployed all of our routers and switches on to it. I am in the process of trying to get a few PIXs to authenticate to the ACS, but have run into a problem.

What I'd like to do is have the PIX authenticate against the ACS, however, if it cannot reach the ACS,within the timeout I specified, then authenticate against local credentials.

So first I verified I could authenticate against the local username and password with the following:

aaa authentication telnet console LOCAL

I can log in using my local username and password with no problem.

then I verify I could authenticate against the ACS server with the following

no aaa authentication telnet console LOCAL

aaa authentication telnet console (tacacs server group name)

I can log in using my LDAP credentials being passed through the ACS with no problem.

so now, I want to try to implement my failover: First try the tacacs server group, if the PIX cannot reach the ACS within the timeout, to then authenticate locally.

no aaa authentication telnet console (group name)

aaa authentication telnet console (group name) LOCAL

When the PIX can reach the ACS, I log in using LDAP credentials with no problem.

Then, I pull the plug on the ACS, I log in with local credentials after the expected time out.

Then, I plug the ACS back in. I try to log in using LDAP credentials - immediate fail, did not even wait for the timeout period.

I try the local credentials, and they work.

I know the ACS is still reachable, because I can authenticate from a switch on the same subnet using LDAP credentials.

To me it seems as though the PIX no longer tries to hit the server group I had specified, after it failed once and I do not know why.

Any help would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

hegleran
Level 1
Level 1

‎04-12-2007 06:53 AM

Update:

After a considerable amount of time since the ACS was reconnected to the network (20 minutes or so), the PIX is now authenticating against the ACS again. What would cause this long period of time where the PIX would refuse to attempt to authenticate against the tacacs server group?

0 Helpful

magurwara
Level 1
Level 1
In response to hegleran

‎04-19-2007 07:13 AM

Check if you have the radius-server deadtime interval set. This interval tells the device how long not to attempt with a radius server that was unavailable.

This is useful when you have multiple radius servers and you failover to another radius server should the first one is unavailable.

Without this interval configured, the device will always send request to the first configured radius server and then if not responding send the request to the second radius server after timeout or to another method if configured.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents