Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA authentication failover when user not found in primary ACS server

If you have a Cisco IOS device (an IOS access point, for example) that authenticates users to a primary ACS server then how do you configure this IOS device to send these user auth requests to a backup ACS server when the user is not a configured user in the primary ACS server ??

My scenario involves NOT JUST an unresponsive primary ACS server but one that does not have the requested user.

8 REPLIES
Anonymous
N/A

Re: AAA authentication failover when user not found in primary A

Use the command aaa authentication login on the cisco device, for more details check the following URL

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_a1g.htm#1071170

Community Member

Re: AAA authentication failover when user not found in primary A

Hi,

I also needed this info becouse I have to configure a NAS that has to use two Tacacs+ servers. If the user is not find on the first one it goes on the second one. I read the info on the link above but I didn't found anything about that issue.

Thank you

Giovanni

Community Member

Re: AAA authentication failover when user not found in primary A

Hi Giovanni,

You can configure multiple "tacacs-server host" commands which will allow you configure multiple servers, however I believe that if your first tacacs server responds to your NAS stating it doesn't know the user - then the user will be denied access. The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all. therefore I believe you will have to configure all your users on both servers - or point them both at a common database.

Hope this helps,

Rowan

Community Member

Re: AAA authentication failover when user not found in primary A

Hi Rowan,

all the documentation that I found confirm your assertion "The only way the second tacacs server will be queried is if the first server is unavailable and doesn't respond at all". The only solution for the moment is to use 2 different phone numbers on two different Group-Asyn, but the customer doesn't want to use this configuration.

Is there some one that he has another solution?

Giovanni

Community Member

Re: AAA authentication failover when user not found in primary A

The only way I can think of achieving this is if you have some prefix/suffix to users that should be authenticated to the secondary ACS.

for example : if authentications are with usernames : dom1/user1 and dom2/user2

and Primary ACS knows only user1 while secondary ACS knows only dom2 prefixed usernames , then you can use the "Proxy Distribution Table" (from "Network Configuration") and define that all authentications arriving with username that begins with "dom2" will be proxied to the secondary ACS.

Hope this helps a little,

Ami

Community Member

Re: AAA authentication failover when user not found in primary A

Hi,

If the ame is backup, why don't you use database replication? or you want to use seperate ACSs for seperate users?

Community Member

Re: AAA authentication failover when user not found in primary A

The ACS servers are used by two different divisions(two divisions of the same large corporation) and they do not want the databases to be replicated.

Thanks.

Community Member

Re: AAA authentication failover when user not found in primary A

I am undergoing the same type of scenario. There is another ACS server at a different location with a set of users from a different region. We don't share a common database.

I am attempting to try what Ami mentioned in the previous post about filtering and forwarding by domain. However, what happens if the accounts are authenticated NOT against a windows database, but say Cisco Secure database (locally).

Any input would be much appreciated in what others have tried to workaround this.

johnny

288
Views
0
Helpful
8
Replies
CreatePlease to create content