cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1896
Views
0
Helpful
8
Replies

AAA authentication failover when user not found in primary ACS server

kentnoyes
Level 1
Level 1

If you have a Cisco IOS device (an IOS access point, for example) that authenticates users to a primary ACS server then how do you configure this IOS device to send these user auth requests to a backup ACS server when the user is not a configured user in the primary ACS server ??

My scenario involves NOT JUST an unresponsive primary ACS server but one that does not have the requested user.

8 Replies 8

Not applicable

Use the command aaa authentication login on the cisco device, for more details check the following URL

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_a1g.htm#1071170

Hi,

I also needed this info becouse I have to configure a NAS that has to use two Tacacs+ servers. If the user is not find on the first one it goes on the second one. I read the info on the link above but I didn't found anything about that issue.

Thank you

Giovanni

Hi Giovanni,

You can configure multiple "tacacs-server host" commands which will allow you configure multiple servers, however I believe that if your first tacacs server responds to your NAS stating it doesn't know the user - then the user will be denied access. The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all. therefore I believe you will have to configure all your users on both servers - or point them both at a common database.

Hope this helps,

Rowan

Hi Rowan,

all the documentation that I found confirm your assertion "The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all". The only solution for the moment is to use 2 different phone numbers on two different Group-Asyn, but the customer doesn't want to use this configuration.

Is there some one that he has another solution?

Giovanni

aschiebe
Level 1
Level 1

The only way I can think of achieving this is if you have some prefix/suffix to users that should be authenticated to the secondary ACS.

for example : if authentications are with usernames : dom1/user1 and dom2/user2

and Primary ACS knows only user1 while secondary ACS knows only dom2 prefixed usernames , then you can use the "Proxy Distribution Table" (from "Network Configuration") and define that all authentications arriving with username that begins with "dom2" will be proxied to the secondary ACS.

Hope this helps a little,

Ami

Hi,

If the ame is backup, why don't you use database replication? or you want to use seperate ACSs for seperate users?

The ACS servers are used by two different divisions(two divisions of the same large corporation) and they do not want the databases to be replicated.

Thanks.

jleon22
Level 1
Level 1

I am undergoing the same type of scenario. There is another ACS server at a different location with a set of users from a different region. We don't share a common database.

I am attempting to try what Ami mentioned in the previous post about filtering and forwarding by domain. However, what happens if the accounts are authenticated NOT against a windows database, but say Cisco Secure database (locally).

Any input would be much appreciated in what others have tried to workaround this.

johnny

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: