acs 5.3 dispersed deployment

Unanswered Question
Aug 6th, 2012

Here is the scenario

I have 2 campuses and 2 acs 5.3

each campus is somewhat independant

I need to setup the following

campus 1 - acs primary

LDAP store - point to local resource and secondary resource on campus 2

Host database for mac filtering - campus 1 acs as primary campus 2 acs as secondary - so replication from campus 1 to campus 2

campus 2 acs secondary

LDAP store - point to local resource and secondary resource on campus 1

Host database for mac filtering - campus 1 acs as primary campus 2 acs as secondary - so replication from campus 1 to campus 2

I am looking at the dispersed deployment, but there is not much info on setting it up.

Questions:

do I need to set the secondary to local mode for dispersed

or can I create everything I need in the primary

I have created access policies

1 for campus 1 - pointing to local ldap

and

1 for campus 2 - pointing to local ldap

but i am not certain how to make the secondary acs check local resources versus traversing the campus link and checking with the primary acs.

Any thoughts or info would be greatly appreciated.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_deploy.html

Dispersed ACS Deployment

A dispersed ACS deployment is useful for organizations that have  campuses located throughout the world. There may be a home campus where  the primary network resides, but there may be additional LANs, sized  from small to large, in campuses in different regions.

To optimize AAA performance, each of these remote campuses should have its own AAA infrastructure. See Figure 1-5. The centralized management model should still be used to maintain a consistent, synchronized AAA policy.

A centralized-configuration, primary ACS server and separate Monitoring  and Report server should still be used. However, each of the remote  campuses will have unique requirements.

Figure 1-5     Dispersed ACS Deployment

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Tarik Admani Tue, 08/07/2012 - 00:38

Simon,

Just out of curiosity is your dns environment replicated between both sites? If not, you can try to create another dns alias (cname) and have site resolve to primary and site b resolve to secondary. Then create another alias records which reverses the order at both sites?

Thanks,

Tarik Admani
*Please rate helpful posts*

hkisadmin Tue, 08/07/2012 - 17:56

Thanks

DNS is separate but contains overlapping info for both locations. The LDAP server name is configured on both sides. although I guess I could call it something completely different, however, the LDAP store was configured with IP addresses originally. I will have to think about it.

Thanks for the idea

At this point I have deregistered the secondary and edited the access policy to use the local resources.

for the mac filtering, I am thinking that I will update campus 1 and export the cvs.

Tarik Admani Tue, 08/07/2012 - 19:13

for the mac filtering, I am thinking that I will update campus 1 and export the cvs.

Simon,

If you are going to populate the internal host database on acs primary this will replicate to acs secondary.

Thanks,

Tarik Admani
*Please rate helpful posts*

hkisadmin Tue, 08/07/2012 - 19:16

Yes, only if I have primary and secondary setup, but I can't figure out a way for campus 2 to point to local resources. so currently it's detached. The cname would have done the trick, but our LDAP servers share the same dns name so I can't use cname because it would still send ldap requests to campus 1 due to the round robin.

Cheers

hkisadmin Tue, 08/07/2012 - 19:13

It was a good thought, but our ldap dns entries are setup for round robin - so cname would defeat the purpose.

Cheers

Tarik Admani Tue, 08/07/2012 - 19:23

Simon,

This would have worked with Active Directory by using Sites and Services. Are you using AD or an ldap server? If this is AD why are you going the LDAP route?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani Fri, 08/10/2012 - 00:37

Simon,

Here is a guide that explains how you can process dns replies based on the clients source ip address. This may allow you resolve the dns queries per your design. I didnt get a chance to get deep into this but though this would be something you were after:

http://support.microsoft.com/kb/842197

Thanks,

Tarik Admani
*Please rate helpful posts*

Actions

Login or Register to take actions

This Discussion

Posted August 6, 2012 at 8:45 PM
Stats:
Replies:8 Avg. Rating:5
Views:875 Votes:0
Shares:0

Related Content

Discussions Leaderboard