Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Device login fallback to ACS incae External Identity Store is not available

Hi,

I have Cisco ACS 5.1 running in TACACS+ mode. For 2 way authentication purpose i do have a 3rd party Radius Identity Store. ACS & the 3rd party Radius server is integrated via Radius. Currently device login process works something like below:

User wants to login to cisco device sends TACACS+ request to ACS-> ACS forwards the same request to the Radius server-> Radius server generates a six digit token to the user. This is perfectly working.

I want, device login should fallback to ACS incase my 3rd party Radius Server is down.

In Radius Identity Sequence, i have put (1) Radius Server (2) Local Users & tested, but it didn't work...

In the logs i can find, each & every request is going to the Radius server & there is a timeout message...

Can someone suggest me...

1 REPLY
Cisco Employee

Device login fallback to ACS incae External Identity Store is no

This issue is resolved in ACS 5.3. In the identity sequence there is an advanced option:

If access to the current identity store failed

[ ] Break Sequence

[ ] Continue to next identity store in the sequence

Access to the identity store is considered to have failed if can't establish communicaiton; as in your case where there is a timeout. By default the "Break Sequence" option is selected and no further processing of the identity sequence is donr

If you select "Continue to next identity store in the sequence" it will process the next store in the sequence in case there is a timeout.

Realize that you are only on ACS 5.1 and this would require an upgrade......

(note that if you upgrade to ACS 5.3 it is recommended to immediately install patch 4)

426
Views
0
Helpful
1
Replies