SPLIT ACS CONFIGURATION

Unanswered Question
Aug 24th, 2010

     Hi all. in cisco's documentation, I found somthing about split acs deployment where both acs boxes can act as primary in their zones and then secondary for the other zone respectively, but I don't seem to understand how this can be done on the two acs boxes.  My concern is this:

Is there a place where you can configure on each machine that machine "A" is the primary for this zone and machine "B" the other zone and vice visa?

I also want to believe that on each aaa client, the first tacacs server configured would be default aaa server less its on available, the client checks the next server just like the behaviour of acl.

Are there any docs that explain the replication of this database, and configurations required?

Regards all.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Chetan Kumar Ress Tue, 08/24/2010 - 11:05

Hi

Split ACS Configuration is the concept of dividing the AAA load.

As per Cisco :  In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers in the event of a AAA connectivity problem, but during normal operations neither server carries the full load of authentication requests. This property of the servers allows for less stress on each ACS system, provides better loading, and makes you aware of the functional status of the secondary server through normal operations

If you want to Split the Load then you have to change the way of AAA deployment.

For Example : You have 2000 Decives  & 2 ACS Then you can divide the load.

You can configure the 1000 Devices with  : ACS 1  - Primary  IP address

                                                               ACS 2 - Secondary IP address

& Other 1000 Devices with : ACS 2  - Secondary IP address

                                         ACS 1 -  Primary   IP Address

In this way the Load of 2000 devices will be split between 2 ACS Server.

Regards

Chetan Kumar

http://chetanress.blogspot.com

darkyunie Mon, 12/06/2010 - 14:32

Hello,

I'm interested in this topic, too.

I was wondering if with this split ACS configuration, replication is possible. And if it is, then how it would be in the ACS configuration, if the system allows to be secondary server and also primary server at the same time. I've taken a look at the user guide and it seemed to me like this wasn't possible, and it doesnt explain how to do a split acs configuration...it is only mentioned in the installation and upgrade guide.

I appreaciate your comments. Regards.

prabirsenapati Fri, 01/15/2016 - 21:13

Hello ,

Can anyone please tell me if we can implement Split ACS deployment in two different geographical locations?

My requirement is to have one ACS server at one location and other at some other location and the AAA load has to be shared between the two.Kindly suggest , which would be the best deployment plan.

Thanks in advance,

Prabir

Jatin Katyal Fri, 01/15/2016 - 21:53

yes you can as you have only 2 ACS. In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers in the event of a AAA connectivity problem, but during normal operations neither server carries the full load of authentication requests. This property of the servers allows for less stress on each ACS system, provides better loading, and makes you aware of the functional status of the secondary server through normal operations.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_contro...

- Jatin

prabirsenapati Sat, 01/16/2016 - 02:01

Hi Jatin ,

Thank You for your update.

But I have not got any document from Cisco site, which confirms about the locations where the primary and secondary are to be placed.As confirmed by you, i take it that, they can be implemented in two different geographical locations.

Kindly share if you have any design & configuration document regarding Cisco Secure ACS 5.8.

Regards,

Prabir

Bastien Migette Tue, 12/07/2010 - 07:00

You normally just have to have one primary ACS and one secondary ACS both synchronized, and on some devices you will add secondary as first AAA server and primary as second, and on other device you'll make the contrary.

Actions

This Discussion