Certificate issue at Secondary ACS

Answered Question
Feb 10th, 2014
User Badges:

Hi


We have distributed ACS deployment model where Primary ACS can do the configuration role and secondary ACS is doing the monitoring role.


Our root certtificate was expired two days back and we have installed this on primary ACS bit forgot to install it on secondary ACS.


Due to this our some wirless useers were not able to connect with wireless with authentication fails messages.


So my question is , are both primary and secondary ACS accepting the AAA request and replying as we are using didtributted deployment model.


Or can share any cisco document which shows this ?

Correct Answer by Scott Fella about 3 years 6 months ago

The WLC will send authentication to the primary ACS server and only will use the secondary if there is no response from the primary. The WLC will not fail back to the primary unless the secondary fails to respond or if you have Fallback enabled in which the WLC will check if the primary is up.

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Scott Fella Mon, 02/10/2014 - 21:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

The WLC will send authentication to the primary ACS server and only will use the secondary if there is no response from the primary. The WLC will not fail back to the primary unless the secondary fails to respond or if you have Fallback enabled in which the WLC will check if the primary is up.

Sent from Cisco Technical Support iPhone App

Puneet Gupta Tue, 02/11/2014 - 00:01
User Badges:

Hi Scott

Thanks for the information


Exactly the same thing is happening .Now client are authenticated by secondary ACS not from primary ACS.


How can we make the primary ACS to work ? will it be distrupted ?

Puneet Gupta Tue, 02/11/2014 - 00:02
User Badges:

is there any way to check , when it was moven from primary to secondary ACS ?

Scott Fella Tue, 02/11/2014 - 05:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You can see it in the WLC logs or if you issues a show radius summary. That will tell you which is active or not.

Sent from Cisco Technical Support iPhone App

Puneet Gupta Tue, 02/11/2014 - 22:46
User Badges:

Is there any way in monitoring tab on ACS that can shows when autheniocation was shifted from primary to secondary ACS for those WLC's.


or any alarm.

Actions

This Discussion