No dead-timer feature for TACACS servers in IOS?

Unanswered Question
Apr 12th, 2010
User Badges:

Hi,


I've recently setup multiple ACS 5.1 boxes with the primary/secondary replication for redundancy.


I was thinking to use this for redundant RADIUS services (point wireless controllers etc. towards multiple ACS-instances, and let RADIUS monitoring dead-timers figure out which servers to use, in case of a failure). For RADIUS this works perfect.


For TACACS, I have tried with a server-group:


tacacs-server host ACS1 single-connection key MYKEY


tacacs-server host ACS2 single-connection key MYKEY

!

aaa group server tacacs TACACS

server ACS1

server ACS2

!

aaa username localadmin password MYPW

aaa authentication login default group TACACS local

[aaa authorization lines for each priv level also setup with fallback to local]


I have 2 issues with this:


My thought was that if one TACACS server fails, the IOS-units would use the next server in the server-group, but what happens is that after ACS1 times out, my login-prompt only accepts the localadmin account.


Also - If i shutdown ACS1 WHILE being logged in, the authorization correctly falls back to ACS2, BUT only after trying ACS1 on every command entered. I can't seem to fin any dead-time feature on TACACS, which would solve this issue.


Anyone got a best-practise take on redundant ACS-servers for TACACS? Can't seem to find any on CCO.


thanks,

Lasse

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network