ACS 5.x Secondary instance authentication with RSA replica.. process?
I currently have an ACS 5.x (5.2) install at 2 sites that is working properly for the most part.
What I think I want to do, is have my primary ACS and RSA servers at one site, and the replicas at a 2nd site. This is currently setup and working. The ACS instances look like they're replicating properly, as well as the RSA instances.
My question, is how does ACS handle failovers? If I lose connectivity from Site 1 to Site 2, how will ACS/RSA work locally for authentications at Site 2?
I would think that a device should be able to hit the ACS server locally (this would be the secondary instance), and the ACS server would then contact the RSA server to authenticate the user. But because the configured RSA server is at Site 1, it won't be able to. So I add a second RSA server under RSA Servers, then add that to the Identity store sequence, therefore, ACS will try to contact the Primary RSA first, fail, then try the 2nd RSA server?
I'm not sure if I'm being clear or not.. if not, please ask some questions and I'll try to be specific as possible.
I guess my main problem is understanding how this failover will work.
Re: ACS 5.x Secondary instance authentication with RSA replica..
You can only add one "instance" of a RSA but this constutes an RSA realm. The RSA realm can consist of muliple RSA servers. Each ACS instance includes an RSA agent instance which can contact multiple servers in the RSA realm, maintains status of each of the servers it is connecting to and can take configuration files that define load balancing configuration
In this situation, all the RSA related configuration forload balancing/redundancy is performed on the RSA servers and upload to the ACS servers. I am not familiar with the details with the specific details of the RSA related configuration but can provide a reference:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :