Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
5
Helpful
4
Replies

Authorization failed on the pix 525 when ACS is down

vtandon
Level 1
Level 1

‎10-08-2003 02:35 AM - edited ‎03-10-2019 07:30 AM

Hi..

We have cisco pix 525 ver 6.3 and Cisco ACS 3.0. Authentication and Authorization is configured on teh PIX and it is happening through Cisco Secure ACS 3.0. When Cisco ACS is down we are able to connect to the PIX and come to the user mode but after that we are not able to execute any command as it is giving authorization failed. Is there any facility to configure authorization in such a way that when ACS is down authorization should happen through local database.

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎10-08-2003 05:00 PM

There's no backup authorization method currently on the PIX, so yes, if you have command authorization configured and your ACS server goes down then you'll get no access to commands. There is an enhancement request in for this and it will be incorporated into the v7.0 code availble next year (hopefully).

As for now though, your only option is to setup a backup ACS server and then configure that within the PIX, so if the PIX gets no response from the first one it'll try the second. You can have up to 14 servers per AAA group within the PIX so that should be ample. Within ACS also you cna configure ACs eplication so you only make changes on the primary ACS server and the changes are replicated to the backup server(s).

j.doshi
Level 1
Level 1
In response to gfullage

‎10-09-2003 02:53 AM

Hi..

I am the engineer working along with Vijay on the same problem. Thanks for your input.

Regards,

Jatin

0 Helpful

mgobeil
Level 1
Level 1
In response to gfullage

‎10-14-2003 10:28 AM

Interesting...but to continue on the same subject, with a PIX v6.3, when the primary ACS server goes down then the backup ACS server gets all the AAA queries from the PIX. That's fine. But we noticed that it continues to get the queries after the primary ACS server is back up. In a case where the secondary (backup) ACS server is not as close as the primairy ACS, we'd like to query the primary ACS as soon as it is back up. Is there a way to control this? We'd like to have the PIX sending its AAA requests back to the primairy ACS when it is back up or after a certain time (timeout or something)

0 Helpful

nihal.akbulut
Level 1
Level 1
In response to mgobeil

‎10-16-2003 11:51 PM

yes, we have the same problem, is there any mechanism like giving priority or something like that. for now, when the first one comes back, we remove the second ACS from configuration, wait a little for the first ACS take control, and then put backup ACS again. ;) if there is an automatic way I will be very happy..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents