Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA failover in ASA

Hello, i just wanna ask the config to set AAA failover if ASA couldn't contact ACS. Is that possible? I want user access by authentcating to ACS but if ASA's connection to ACS fail, it will revert authentication to ASA itself.

I see that ASA config is different than router and switch.

4 REPLIES
Cisco Employee

Re: AAA failover in ASA

If you want that authentication should failover to another ACS server, create a aaa server group and define 2 servers in it and use this server group in the authentication command.

eg.

________________________________

aaa-server TEST protocol tacacs

aaa-server TEST host 1.1.1.1

aaa-server TEST host 2.2.2.2

aaa authentication telnet console TEST

____________________________________

So authentication will go to 1.1.1.1 if it timesout due to any reason it will fallback to 2.2.2.2

If you want failover to local ASA define it according to following :

aaa authentication telnet console TEST LOCAL

Hope this helps.

~Rohit

New Member

Re: AAA failover in ASA

I've input

aaa authentication telnet console LOCAL

But i just can log in using local user and pass. I can't use ACS authentication. As i try to input :

aaa authentication telnet console

i can use ACS authentication, but when i deny the access from ASA to ACS, it can't do anything accept blank screen when i input the user and pass and enter.

Cisco Employee

Re: AAA failover in ASA

enable debugs and check the status:

debug aaa authentication

debug tacacs

You should get an answer if its getting fallback to local or not

New Member

Re: AAA failover in ASA

Hi rochopra,

I get your point, thanks hehehe.

But i found that it take times to revert to LOCAL as i see in debug, it sent 3 times to ACS before revert to LOCAL.

213
Views
0
Helpful
4
Replies
CreatePlease login to create content