×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AAA authentication failover when user not found in primary ACS server

Unanswered Question

If you have a Cisco IOS device (an IOS access point, for example) that authenticates users to a primary ACS server then how do you configure this IOS device to send these user auth requests to a backup ACS server when the user is not a configured user in the primary ACS server ??


My scenario involves NOT JUST an unresponsive primary ACS server but one that does not have the requested user.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gbressanin Fri, 11/07/2003 - 05:01
User Badges:

Hi,


I also needed this info becouse I have to configure a NAS that has to use two Tacacs+ servers. If the user is not find on the first one it goes on the second one. I read the info on the link above but I didn't found anything about that issue.


Thank you


Giovanni

r.state Sun, 11/09/2003 - 12:36
User Badges:

Hi Giovanni,


You can configure multiple "tacacs-server host" commands which will allow you configure multiple servers, however I believe that if your first tacacs server responds to your NAS stating it doesn't know the user - then the user will be denied access. The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all. therefore I believe you will have to configure all your users on both servers - or point them both at a common database.


Hope this helps,

Rowan

gbressanin Mon, 11/10/2003 - 00:47
User Badges:

Hi Rowan,


all the documentation that I found confirm your assertion "The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all". The only solution for the moment is to use 2 different phone numbers on two different Group-Asyn, but the customer doesn't want to use this configuration.

Is there some one that he has another solution?


Giovanni

aschiebe Wed, 11/12/2003 - 14:32
User Badges:

The only way I can think of achieving this is if you have some prefix/suffix to users that should be authenticated to the secondary ACS.

for example : if authentications are with usernames : dom1/user1 and dom2/user2

and Primary ACS knows only user1 while secondary ACS knows only dom2 prefixed usernames , then you can use the "Proxy Distribution Table" (from "Network Configuration") and define that all authentications arriving with username that begins with "dom2" will be proxied to the secondary ACS.


Hope this helps a little,


Ami

nihal.akbulut Thu, 11/13/2003 - 02:09
User Badges:

Hi,

If the ame is backup, why don't you use database replication? or you want to use seperate ACSs for seperate users?

jleon22 Wed, 12/17/2003 - 11:33
User Badges:
  • Bronze, 100 points or more

I am undergoing the same type of scenario. There is another ACS server at a different location with a set of users from a different region. We don't share a common database.


I am attempting to try what Ami mentioned in the previous post about filtering and forwarding by domain. However, what happens if the accounts are authenticated NOT against a windows database, but say Cisco Secure database (locally).


Any input would be much appreciated in what others have tried to workaround this.


johnny

Actions

This Discussion