I've recently setup multiple ACS 5.1 boxes with the primary/secondary replication for redundancy.
I was thinking to use this for redundant RADIUS services (point wireless controllers etc. towards multiple ACS-instances, and let RADIUS monitoring dead-timers figure out which servers to use, in case of a failure). For RADIUS this works perfect.
For TACACS, I have tried with a server-group:
tacacs-server host ACS1 single-connection key MYKEY
tacacs-server host ACS2 single-connection key MYKEY
aaa group server tacacs TACACS
aaa username localadmin password MYPW
aaa authentication login default group TACACS local
[aaa authorization lines for each priv level also setup with fallback to local]
I have 2 issues with this:
My thought was that if one TACACS server fails, the IOS-units would use the next server in the server-group, but what happens is that after ACS1 times out, my login-prompt only accepts the localadmin account.
Also - If i shutdown ACS1 WHILE being logged in, the authorization correctly falls back to ACS2, BUT only after trying ACS1 on every command entered. I can't seem to fin any dead-time feature on TACACS, which would solve this issue.
Anyone got a best-practise take on redundant ACS-servers for TACACS? Can't seem to find any on CCO.