Secondary ACS not authenticating

Answered Question
May 27th, 2008
User Badges:

I have 2 ACS 1113 appliances running 4.1(1) Build 24. The first is the primary and replicates nightly to the secondary at our DR. Though at different locations, they are both within the same VLAN with no firewalls or access-lists in-between them. All of my devices will authenticate with my primary ACS unless it is down, in which case they should authenticate against the secondary ACS. The issue is that I have no problems with authentication on my primary ACS, but I cant get anything to authenticate against my secondary (after taking the primary down for testing). When trying to authenticate against my secondary, I get no logs for passed or failed authentications after my attempts fail. In addition, when my attempts fail, I try to log into the devices locally and my authorization fails - again with no logs in the ACS. However, when I remove the device from the NDG in the secondary ACS, I am able to log in locally to the network device.


I have to believe that with the device in the NDG within ACS, there is some communication failing my attempts (though it does not log anything) since I can take the device out of that NDG and pass local authentication. I was running code 4.0 with this same issue and thought that the upgrade would fix the problem...but evidently I have something else going on here.


Any input or suggestions would be greatly appreciated.

Correct Answer by Jagdeep Gambhir about 9 years 1 month ago

Do this on seconday acs.


ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.


It should work now.


If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.



That should fix it.



Regards,

~JG


Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Tue, 05/27/2008 - 09:26
User Badges:
  • Red, 2250 points or more

Do this on seconday acs.


ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.


It should work now.


If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.



That should fix it.



Regards,

~JG


Do rate helpful posts

mcroberts Tue, 05/27/2008 - 09:37
User Badges:

Excellent advice. Everything authenticates as it should now. Thank you!

Actions

This Discussion