10-22-2003 11:29 AM - edited 03-10-2019 07:32 AM
If you have a Cisco IOS device (an IOS access point, for example) that authenticates users to a primary ACS server then how do you configure this IOS device to send these user auth requests to a backup ACS server when the user is not a configured user in the primary ACS server ??
My scenario involves NOT JUST an unresponsive primary ACS server but one that does not have the requested user.
10-29-2003 08:37 AM
Use the command aaa authentication login on the cisco device, for more details check the following URL
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_a1g.htm#1071170
11-07-2003 05:01 AM
Hi,
I also needed this info becouse I have to configure a NAS that has to use two Tacacs+ servers. If the user is not find on the first one it goes on the second one. I read the info on the link above but I didn't found anything about that issue.
Thank you
Giovanni
11-09-2003 12:36 PM
Hi Giovanni,
You can configure multiple "tacacs-server host" commands which will allow you configure multiple servers, however I believe that if your first tacacs server responds to your NAS stating it doesn't know the user - then the user will be denied access. The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all. therefore I believe you will have to configure all your users on both servers - or point them both at a common database.
Hope this helps,
Rowan
11-10-2003 12:47 AM
Hi Rowan,
all the documentation that I found confirm your assertion "The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all". The only solution for the moment is to use 2 different phone numbers on two different Group-Asyn, but the customer doesn't want to use this configuration.
Is there some one that he has another solution?
Giovanni
11-12-2003 02:32 PM
The only way I can think of achieving this is if you have some prefix/suffix to users that should be authenticated to the secondary ACS.
for example : if authentications are with usernames : dom1/user1 and dom2/user2
and Primary ACS knows only user1 while secondary ACS knows only dom2 prefixed usernames , then you can use the "Proxy Distribution Table" (from "Network Configuration") and define that all authentications arriving with username that begins with "dom2" will be proxied to the secondary ACS.
Hope this helps a little,
Ami
11-13-2003 02:09 AM
Hi,
If the ame is backup, why don't you use database replication? or you want to use seperate ACSs for seperate users?
11-13-2003 06:17 AM
The ACS servers are used by two different divisions(two divisions of the same large corporation) and they do not want the databases to be replicated.
Thanks.
12-17-2003 11:33 AM
I am undergoing the same type of scenario. There is another ACS server at a different location with a set of users from a different region. We don't share a common database.
I am attempting to try what Ami mentioned in the previous post about filtering and forwarding by domain. However, what happens if the accounts are authenticated NOT against a windows database, but say Cisco Secure database (locally).
Any input would be much appreciated in what others have tried to workaround this.
johnny
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: