Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Authorization failed on the pix 525 when ACS is down

Hi..

We have cisco pix 525 ver 6.3 and Cisco ACS 3.0. Authentication and Authorization is configured on teh PIX and it is happening through Cisco Secure ACS 3.0. When Cisco ACS is down we are able to connect to the PIX and come to the user mode but after that we are not able to execute any command as it is giving authorization failed. Is there any facility to configure authorization in such a way that when ACS is down authorization should happen through local database.

4 REPLIES
Cisco Employee

Re: Authorization failed on the pix 525 when ACS is down

There's no backup authorization method currently on the PIX, so yes, if you have command authorization configured and your ACS server goes down then you'll get no access to commands. There is an enhancement request in for this and it will be incorporated into the v7.0 code availble next year (hopefully).

As for now though, your only option is to setup a backup ACS server and then configure that within the PIX, so if the PIX gets no response from the first one it'll try the second. You can have up to 14 servers per AAA group within the PIX so that should be ample. Within ACS also you cna configure ACs eplication so you only make changes on the primary ACS server and the changes are replicated to the backup server(s).

New Member

Re: Authorization failed on the pix 525 when ACS is down

Hi..

I am the engineer working along with Vijay on the same problem. Thanks for your input.

Regards,

Jatin

New Member

Re: Authorization failed on the pix 525 when ACS is down

Interesting...but to continue on the same subject, with a PIX v6.3, when the primary ACS server goes down then the backup ACS server gets all the AAA queries from the PIX. That's fine. But we noticed that it continues to get the queries after the primary ACS server is back up. In a case where the secondary (backup) ACS server is not as close as the primairy ACS, we'd like to query the primary ACS as soon as it is back up. Is there a way to control this? We'd like to have the PIX sending its AAA requests back to the primairy ACS when it is back up or after a certain time (timeout or something)

New Member

Re: Authorization failed on the pix 525 when ACS is down

yes, we have the same problem, is there any mechanism like giving priority or something like that. for now, when the first one comes back, we remove the second ACS from configuration, wait a little for the first ACS take control, and then put backup ACS again. ;) if there is an automatic way I will be very happy..

295
Views
5
Helpful
4
Replies