Device login fallback to ACS incae External Identity Store is not available
I have Cisco ACS 5.1 running in TACACS+ mode. For 2 way authentication purpose i do have a 3rd party Radius Identity Store. ACS & the 3rd party Radius server is integrated via Radius. Currently device login process works something like below:
User wants to login to cisco device sends TACACS+ request to ACS-> ACS forwards the same request to the Radius server-> Radius server generates a six digit token to the user. This is perfectly working.
I want, device login should fallback to ACS incase my 3rd party Radius Server is down.
In Radius Identity Sequence, i have put (1) Radius Server (2) Local Users & tested, but it didn't work...
In the logs i can find, each & every request is going to the Radius server & there is a timeout message...
Device login fallback to ACS incae External Identity Store is no
This issue is resolved in ACS 5.3. In the identity sequence there is an advanced option:
If access to the current identity store failed
[ ] Break Sequence
[ ] Continue to next identity store in the sequence
Access to the identity store is considered to have failed if can't establish communicaiton; as in your case where there is a timeout. By default the "Break Sequence" option is selected and no further processing of the identity sequence is donr
If you select "Continue to next identity store in the sequence" it will process the next store in the sequence in case there is a timeout.
Realize that you are only on ACS 5.1 and this would require an upgrade......
(note that if you upgrade to ACS 5.3 it is recommended to immediately install patch 4)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...