Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.x Secondary instance authentication with RSA replica.. process?

Hey all..

I currently have an ACS 5.x (5.2) install at 2 sites that is working properly for the most part.

What I think I want to do, is have my primary ACS and RSA servers at one site, and the replicas at a 2nd site.  This is currently setup and working.  The ACS instances look like they're replicating properly, as well as the RSA instances.

My question, is how does ACS handle failovers?  If I lose connectivity from Site 1 to Site 2, how will ACS/RSA work locally for authentications at Site 2?

I would think that a device should be able to hit the ACS server locally (this would be the secondary instance), and the ACS server would then contact the RSA server to authenticate the user.  But because the configured RSA server is at Site 1, it won't be able to.  So I add a second RSA server under RSA Servers, then add that to the Identity store sequence, therefore, ACS will try to contact the Primary RSA first, fail, then try the 2nd RSA server?

I'm not sure if I'm being clear or not..   if not, please ask some questions and I'll try to be specific as possible.

I guess my main problem is understanding how this failover will work.

ACS 5.2

RSA 7.x


Cisco Employee

Re: ACS 5.x Secondary instance authentication with RSA replica..

You can only add one "instance" of a RSA but this constutes an RSA realm. The RSA realm can consist of muliple RSA servers. Each ACS instance includes an RSA agent instance which can contact multiple servers in the RSA realm, maintains status of each of the servers it is connecting to and can take configuration files that define load balancing configuration

In this situation, all the RSA related configuration forload balancing/redundancy is performed on the RSA servers and upload to the ACS servers. I am not familiar with the details with the specific details of the RSA related configuration but can provide a reference:

CreatePlease login to create content