Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

aaa authentication on PIX failover

I have recently installed an ACS server and deployed all of our routers and switches on to it. I am in the process of trying to get a few PIXs to authenticate to the ACS, but have run into a problem.

What I'd like to do is have the PIX authenticate against the ACS, however, if it cannot reach the ACS,within the timeout I specified, then authenticate against local credentials.

So first I verified I could authenticate against the local username and password with the following:

aaa authentication telnet console LOCAL

I can log in using my local username and password with no problem.

then I verify I could authenticate against the ACS server with the following

no aaa authentication telnet console LOCAL

aaa authentication telnet console (tacacs server group name)

I can log in using my LDAP credentials being passed through the ACS with no problem.

so now, I want to try to implement my failover: First try the tacacs server group, if the PIX cannot reach the ACS within the timeout, to then authenticate locally.

no aaa authentication telnet console (group name)

aaa authentication telnet console (group name) LOCAL

When the PIX can reach the ACS, I log in using LDAP credentials with no problem.

Then, I pull the plug on the ACS, I log in with local credentials after the expected time out.

Then, I plug the ACS back in. I try to log in using LDAP credentials - immediate fail, did not even wait for the timeout period.

I try the local credentials, and they work.

I know the ACS is still reachable, because I can authenticate from a switch on the same subnet using LDAP credentials.

To me it seems as though the PIX no longer tries to hit the server group I had specified, after it failed once and I do not know why.

Any help would be greatly appreciated.

2 REPLIES
New Member

Re: aaa authentication on PIX failover

Update:

After a considerable amount of time since the ACS was reconnected to the network (20 minutes or so), the PIX is now authenticating against the ACS again. What would cause this long period of time where the PIX would refuse to attempt to authenticate against the tacacs server group?

New Member

Re: aaa authentication on PIX failover

Check if you have the radius-server deadtime interval set. This interval tells the device how long not to attempt with a radius server that was unavailable.

This is useful when you have multiple radius servers and you failover to another radius server should the first one is unavailable.

Without this interval configured, the device will always send request to the first configured radius server and then if not responding send the request to the second radius server after timeout or to another method if configured.

113
Views
0
Helpful
2
Replies