Router/Switch config for AAA(ACS4.2)

Unanswered Question
Nov 4th, 2009
User Badges:

Dear All,


I have few questions of ACS4.2.


I have got 2 Liecences for Two ACS 4.2 servers and i have done the installation on two servers. my questions here

is during the installation it has never asked for liecansing key. so then whats the use of liecensaning key


2 Question:


My design requires one is the primay ACS and other will be the seconday ACS .


if primay fails with out any delay it should contact secondary server, and if both the servers are not reachable


it should ask for local passwords with out any dealy.


Finally end user should not be affected with failure of ACS.


3 Question: is the config diffres for diffrent models of routers and switches


please find my proposed config


----------------------------------------

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common


---------------------------------

tacacs-server host X.X.X.X(primary)

tacacs-server host Y.Y.Y.Y(SECONDARY)

tacacs-server timeout 5

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXX

--------------------------------


line con 0

password 7 001014030D511C08260F68700001

login authentication no_tacacs

line vty 0 4

password 7 03105C0E0F05364267273D12345

line vty 5 15

password 7 03105C0E0F05364267212345


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Wed, 11/04/2009 - 05:58
User Badges:
  • Cisco Employee,

Hi Adhitya,



1.] ACS for Windows doesn't require any kind of license/ serial number/ key. As you have the ACS installation kit for windows, you simply need to install it on supported Microsoft platform, it won't ask for any key or license.


However, At any given point of time you can run this software on one platform. The single contract can not be used to install ACS on multiple machines in your production network.


Without license you cant get any further updates/Tac support, since ACS software's are not listed on this site or in your cisco profile.


2] In the case of failover there will be definitely delay. We have primary, secondary and local with timeout set to 5 sec for each try and by-default there will be three retries. If both server goes down it will take around 35 seconds to reach local database.


3. The proposed config looks perfect.


HTH


JK


-pls rate helpful posts-

adhityakarthik Wed, 11/04/2009 - 07:44
User Badges:

HI,


Thanks very much for the qucik response, with the present config we have delay in typing the commands when the Both servers are not reachale and we login via local password, Could you please tell me how can it be avoided in the new desing

present config:-

--------

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

tacacs-server host a.a.a.a

tacacs-server host b.b.b.b

tacacs-server directed-request

tacacs-server key 7 ***********


line con 0

password 7 ***********

login authentication no_tacacs

line vty 0 4

password 7 **************

line vty 5 15

password 7 **********

--------------


Can i do the same config for all model of routers and switches, please comment on the same


Adhitya

adhityakarthik Thu, 11/05/2009 - 07:43
User Badges:

Hi ALl


Still expecting more answers on this, kindly update me


Adhitya

Actions

This Discussion