ACS Failover scenario

Unanswered Question
Aug 7th, 2008
User Badges:

Hello


I have Primary ACS in Datacenter-1 and would like to have Secondary-ACS in DataCenter2 in different geographical location.


Is there any other prequisite apart from same hardware / same OS version / Same ACS version???


Any recommendation for such a setup, kindly share your experience.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Amin,


None - the hardware and OS do not have to match. The version of ACS does have to match if you are going to replicate - which I suggest you do, no body like to have make config changes twice.


I have a primary ACS server in my primary D/C and my failover in my DR D/C. My primary and DR are in seperate countries.


Just configure on your network devices, both ACS servers and the order you want to sue them. Also the timeouts - when the authenticating device should use the dr when the primary is unavailable.


One more thing - make sure you keep on top of your logging, if you let the logs fill the hard drive, there is a % that triggers the ACS to not authenticate users.


HTH>

Amin Shaikh Fri, 08/08/2008 - 06:59
User Badges:

Thanks Andrew. I too will have ACS in two different countries.


How to configure the timeouts when the authenticating device should use DR.


If the secondary ACS becomes active and you did some changes then, does it replicated to the primary once it back?? < Did you test this >>...






You configure the timeouts in the network devices, router, switch firewall etc!


You configure replication to be performed at pre-determined times, or manually.


My ACS servers perform a "Database Replication" once a day, if I need to roll out the change faster, I perform a manual DB replication.


You can configure who replicates to who, and what is replicated i.e users, groups, network objects....


HTH>

cisco24x7 Fri, 08/08/2008 - 07:29
User Badges:
  • Silver, 250 points or more

"None - the hardware and OS do not have to match."


I have to disagree with this. The OS will have

to match as well. For example, let say that you

have the primary ACS4.0.1 running on Windows

2000 server and the secondary ACS 4.0.1 running

on Windows 2003 server. If you have issues

and contact Cisco TAC, I don't think they will

support it.

That is a possibility!


But as long as the ACS versions match.....there should be no issues - the primary issue I have found in the past with different ACS versions is - replication errors.


Once the servers that are replication to each other are ALL the same version, purring like a kitten!

Amin Shaikh Fri, 08/08/2008 - 08:36
User Badges:

Thanks....


Cisco System Engineer suggest to have same OS / Same ACS version to avoid issues.


How could you block direct login access on ACS BOX. ( U dont need admin password to get into ACS Management console )


I would have 5 Business Unit Routers / Firewall / Switches under ACS.


I want to configure each Business unit network devices under separate groups ( BU1 will have a group on ACS and all its network devices will be there ) ; How to restrict a specific active-directory group to have acces to this network group. [ Is this possible ]


I m new to ACS, so dont have much Idea, currently all devices under one group.

cisco24x7 Wed, 08/13/2008 - 05:35
User Badges:
  • Silver, 250 points or more

"That is a possibility!"


That is the FACT.


"But as long as the ACS versions match.....there should be no issues"


Since you do not work for cisco, you do not know

that for sure. It is better be safe than sorry.

Actions

This Discussion