ACS replication and RSA SecurID

Unanswered Question
Oct 31st, 2007

I need advice from someone with experience with both Cisco ACS 4.1 build 25 and RSA SecurID 6.1

I have a primary ACS 4.1 build 25 running on win2k3 Service Pack 2 AD controller call box_1. This machine, box_1, also

has RSA SecurID Primary installed. At

the moment, I have successfully integrated both ACS and RSA SecurID to

communicate with eath other. Users

logging onto network devices will have

to use SecurID credentials with ACS just

act as "proxy". Everything is working fine.

Now I would like to build a secondary

ACS 4.1, called box_2. On box_2, I

already installed RSA SecurID replica

for redudancies and it can communicate

with box_1 just fine. By the way,

box_2 is also another AD controller.

Now I am ready to install ACS 4.1 on

box_2. The question is that how will

replication in relation to RSA SecurID.

The idea is that if box_1 goes down,

box_2 will take over and user(s) will

NOT notice any changes and SecurID will

work as it should be.

How does ACS handle sdconf.rec file in

replication?

Anyone want to comment on this? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Wed, 10/31/2007 - 13:04

What I can tell you on this scenario is,

Because you are using RSA ACE agent (i.e. sdconf.rec)

So from ACS point of view, ACS has RSA Secure ID as the External Database.

So one you have configured both ACS servers properly with RSA ACE Agent (i.e. External User Databases on ACS is okay).

then you simply need to replicate the configuration from Primary ACS Server to secondary ACS server. But Remember that External Database configuration section is not replicated, so ensure that External Database part is configured first on both the servers before moving for Replication part.

Now as both the ACS database will have users and pointing to RSA Secure ID.

So it totally depends on RSA ACE client, how it flip flops between the redundant RSA servers in its configuration.

As ACS will proxy the request to RSA ACE client for authentication.

Now because you have ACS and RSA on same server.

One thing you need to ensure is that on the NAS(Router, Switch, AP, Firewall etc) devices,

You have configured both the ACS(and RSA) server's IP address.

That is something like,

radius-server host acs_1...

radius-server host acs_2...

I think you got the idea.

And about internal working of RSA ACE client.

Let's wait if someone can put some light on that.

Regards,

Prem

kevin.jones1 Wed, 10/31/2007 - 16:45

Have you done this before or you're just,

like myself, speculating the outcome.

I will test it in the lab shortly. Thanks.

Premdeep Banga Wed, 10/31/2007 - 21:29

What I said before is purely from ACS point of view and how it works.

I myself have dealt with over 90 cases/issues in TAC related to ACS and RSA uptill now...

Actions

This Discussion