Here is a posting I put up yesterday, but when I thought the issue was resolved, I ran into another issue...replication would not succeed. At the end of yesterdays posting, you will see my newly added issues.
I have 2 ACS 1113 appliances running 4.1(1) Build 24. The first is the primary and replicates nightly to the secondary at our DR. Though at different locations, they are both within the same VLAN with no firewalls or access-lists in-between them. All of my devices will authenticate with my primary ACS unless it is down, in which case they should authenticate against the secondary ACS. The issue is that I have no problems with authentication on my primary ACS, but I cant get anything to authenticate against my secondary (after taking the primary down for testing). When trying to authenticate against my secondary, I get no logs for passed or failed authentications after my attempts fail. In addition, when my attempts fail, I try to log into the devices locally and my authorization fails - again with no logs in the ACS. However, when I remove the device from the NDG in the secondary ACS, I am able to log in locally to the network device.
I have to believe that with the device in the NDG within ACS, there is some communication failing my attempts (though it does not log anything) since I can take the device out of that NDG and pass local authentication. I was running code 4.0 with this same issue and thought that the upgrade would fix the problem...but evidently I have something else going on here.
Any input or suggestions would be greatly appreciated.
Replied by: jgambhir - May 27, 2008, 10:26am PST
Do this on seconday acs.
ACS--->Network configuration====>Proxy Dis table--->Click on default====> If you see delivenrance 1 in aaa server----> Drag it to "Forward to" --->And whatever is there under forward to --->Drag it to aaa-server-->submit+apply.
It should work now.
If you don't see proxy distribution option then go to acs--->interface configuration----->advanced option ---->enable distributed table.
That should fix it.
Now that I was able to get the devices to authenticate with the Secondary ACS, replication stopped working. To make a long story short, I tried to get replication back up and now replication does not work and the secondary does not authenticate again. Ok - Here is what I currently have in place...on the primary ACS, under Network Config > Proxy Dist Table > Default > I have the secondary listed under "aaa servers" and the primary under "forward to". (When I switched them adding the secondary to "forward to", I lost authentication on my primary as well). On the Secondary, under Network Config > Proxy Dist Table > Default > I have the primary listed under "aaa servers" and secondary under "forward to". There has to be something simple somewhere that I am missing. Any suggestions are appreciated.