How to deploy ACS v4.2 to support Server Failover

Unanswered Question
Feb 10th, 2010

Hi,

I have x2 ACS v4.2 servers in a test environement, I wish to use one as primary and the other as the secondary.  So in essence I want to duplicate the users, groups, and other settings from the primary onto the secondary.  Does anyone have documentation on how to achieve this?

Cheers

Jamie

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Thu, 02/11/2010 - 02:00

The replication feature is there to support exactly that.

Under interface options you can enable distributed system settings and replication. This allows to do define the secondary ACS in network config on the primary and vice versa... both require knowledge of the other servers' shared key.

On the primary (master), under replication settings you can choose which elements of the config you want to replicate, where to and when. On the secondary (slave) you say you'll accept replication from the primary. You can optionally configure "cascade" replication such that a slave automatically replicates to one or more additional slaves after receiving data, ie a chain or tree topology.

Historically replication doesnt include everything,, such as external database group mappings, user defined RADIUS vsa's etc. Its mainly for user and group data although over time more features have been added. Best to check the builtin docs or search cisco.com for the v4.2 full user guide.

Note that replication is NOT bi-directional... any database changes made to the seconday will be lost next time the primary replicates out. Also, while data is collated (on the master) prior to sending out, and while inbound data (on the slave) is processed, authentication processes will stop for about 30 seconds.

Although it creates added cost you could consider having a third ACS which is the configuration master whose only purpose is to replicate config out to two slaves.

Dirk Woellhaf Thu, 02/11/2010 - 02:09

And don´t forget to configure both servers on your networks devices.

The devices normaly try to connect to the servers in the same order as they are configured:

example for Tacacs+ on a Cisco device:

tacacs-server host ip-of-primary single-connection
tacacs-server host ip-of-secondary single-connection

Actions

This Discussion