Secondary ACS not authenticating (new issue)

Unanswered Question
May 28th, 2008

Here is a posting I put up yesterday, but when I thought the issue was resolved, I ran into another issue...replication would not succeed. At the end of yesterdays posting, you will see my newly added issues.

==============================================================================

I have 2 ACS 1113 appliances running 4.1(1) Build 24. The first is the primary and replicates nightly to the secondary at our DR. Though at different locations, they are both within the same VLAN with no firewalls or access-lists in-between them. All of my devices will authenticate with my primary ACS unless it is down, in which case they should authenticate against the secondary ACS. The issue is that I have no problems with authentication on my primary ACS, but I cant get anything to authenticate against my secondary (after taking the primary down for testing). When trying to authenticate against my secondary, I get no logs for passed or failed authentications after my attempts fail. In addition, when my attempts fail, I try to log into the devices locally and my authorization fails - again with no logs in the ACS. However, when I remove the device from the NDG in the secondary ACS, I am able to log in locally to the network device.

I have to believe that with the device in the NDG within ACS, there is some communication failing my attempts (though it does not log anything) since I can take the device out of that NDG and pass local authentication. I was running code 4.0 with this same issue and thought that the upgrade would fix the problem...but evidently I have something else going on here.

Any input or suggestions would be greatly appreciated.

===============================================================================

Replied by: jgambhir - May 27, 2008, 10:26am PST

Do this on seconday acs.

ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.

It should work now.

If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.

That should fix it.

================================================================================

New Issue:

Now that I was able to get the devices to authenticate with the Secondary ACS, replication stopped working. To make a long story short, I tried to get replication back up and now replication does not work and the secondary does not authenticate again. Ok - Here is what I currently have in place...on the primary ACS, under Network Config > Proxy Dist Table > Default > I have the secondary listed under "aaa servers" and the primary under "forward to". (When I switched them adding the secondary to "forward to", I lost authentication on my primary as well). On the Secondary, under Network Config > Proxy Dist Table > Default > I have the primary listed under "aaa servers" and secondary under "forward to". There has to be something simple somewhere that I am missing. Any suggestions are appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Wed, 05/28/2008 - 05:24

1) Make sure that you are not replicating over NAT. Replication over NAT does not work because the IP is used as part of the server authentication

2) Next, check to make sure that you are not sending or receiving the distribution table. On the primary server, the distribution table should not be checked in the send list, and on the secondary, the distribution table should not be checked for receive.

3) Then I would like you to check in the secondary server's partner list, to make sure that the primary is not listed. You should not enter the primary server into the partner list on the secondary server. However, the primary server should have all secondary servers listed in its partner list.

4) Ensure that the secondary server has it's replication scheduling set to "manual".

5) Please verify that your servers are all running exactly the same ACS version and build.

6) Check if we have any firewall in between two acs servers. Incase you do , then please have your firewall checked and reconfigured to disable any inspection on port 2000.

Regards,

~JG

Do rate helpful posts

mcroberts Wed, 05/28/2008 - 05:59

1) no NAT involved

4) Secondary is set to manual

5) Exact version, appliance, and build

6) No firewalls or access-lists involved

2) Both ACS appliances did have the "distribution table" checked, so I fixed that on each appliance and applied it.

3) On the secondary ACS, I looked in System Config > ACS Int DB Replication > Partners > and had the primary ACS under "AAA servers", with the replication field blank.

On the primary ACS, I looked in System Config > ACS Int DB Replication > Partners > and had the secondary ACS under "Replication", with the "AAA Servers" field blank.

Replication still not working and no specific errors on the ACS. Looks like the replication cycle is hanging.

Jagdeep Gambhir Wed, 05/28/2008 - 10:51

When you try to authenticate on secondary acs, do you see any hits on acs failed or passed attempts.

Due to see something like deliverence1 on the secondary acs, under proxy dis table ?

If you see it then bring that to fwd to box.

mcroberts Thu, 05/29/2008 - 04:29

Actually now, I am able to authenticate against both ACS appliances successfully, but now I just cant replicate. I get the "denied" error in the logs.

Actions

This Discussion