10-08-2003 02:35 AM - edited 03-10-2019 07:30 AM
Hi..
We have cisco pix 525 ver 6.3 and Cisco ACS 3.0. Authentication and Authorization is configured on teh PIX and it is happening through Cisco Secure ACS 3.0. When Cisco ACS is down we are able to connect to the PIX and come to the user mode but after that we are not able to execute any command as it is giving authorization failed. Is there any facility to configure authorization in such a way that when ACS is down authorization should happen through local database.
10-08-2003 05:00 PM
There's no backup authorization method currently on the PIX, so yes, if you have command authorization configured and your ACS server goes down then you'll get no access to commands. There is an enhancement request in for this and it will be incorporated into the v7.0 code availble next year (hopefully).
As for now though, your only option is to setup a backup ACS server and then configure that within the PIX, so if the PIX gets no response from the first one it'll try the second. You can have up to 14 servers per AAA group within the PIX so that should be ample. Within ACS also you cna configure ACs eplication so you only make changes on the primary ACS server and the changes are replicated to the backup server(s).
10-09-2003 02:53 AM
Hi..
I am the engineer working along with Vijay on the same problem. Thanks for your input.
Regards,
Jatin
10-14-2003 10:28 AM
Interesting...but to continue on the same subject, with a PIX v6.3, when the primary ACS server goes down then the backup ACS server gets all the AAA queries from the PIX. That's fine. But we noticed that it continues to get the queries after the primary ACS server is back up. In a case where the secondary (backup) ACS server is not as close as the primairy ACS, we'd like to query the primary ACS as soon as it is back up. Is there a way to control this? We'd like to have the PIX sending its AAA requests back to the primairy ACS when it is back up or after a certain time (timeout or something)
10-16-2003 11:51 PM
yes, we have the same problem, is there any mechanism like giving priority or something like that. for now, when the first one comes back, we remove the second ACS from configuration, wait a little for the first ACS take control, and then put backup ACS again. ;) if there is an automatic way I will be very happy..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide