Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How does ACS check redundancy?

Hi,

In a router, if you configure tacacs-server host tacacs-1 tacacs-2, this is how you set up ACS redundancy.  My question is, how does router check the pulse of each tacacs server?  By ping or some other keepalive mechanism?  What does this command really do behind the scene?

What happen in our environment is that tacacs-1 services within Windows keep on stopping by itself.  We can't authenticate and the tacacs service does not fail over to tacacs-2.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: How does ACS check redundancy?

Hi Ganesh.H,

Thanks for the reply.  Looking at the command documentation, it states:

"If the command is not configured, the timeout interval is 5 seconds."

So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?

Kevin,

This command is not default configured in cisco swithces the default parameter is 5 sec if you configure tacas server timeout only without sepcifying the time in sec.

HTH

Ganesh.H

5 REPLIES

Re: How does ACS check redundancy?

Hi,

In a router, if you configure tacacs-server host tacacs-1 tacacs-2, this is how you set up ACS redundancy.  My question is, how does router check the pulse of each tacacs server?  By ping or some other keepalive mechanism?  What does this command really do behind the scene?

What happen in our environment is that tacacs-1 services within Windows keep on stopping by itself.  We can't authenticate and the tacacs service does not fail over to tacacs-2.

Hi,

Actually the configuration is not like this for redundacy of tacas server in cisco switches,it should be like this in below sample :-

tacacs-server host 10.1.X.X  - Primary
tacacs-server host 10.2.X.X  - Secondary

TACACS+ is a method of information exchange between a device that provides network access tousers (the "TACACS+ client") and a device that contains authentication information for those users (the "TACACS+ server"). TACACS+ is based on AAA model: Authentication, authorization and

accounting and for your query Genrally a TACACS+ client and TACACS+ server communicate by means of TACACS+ packets sent over TCP/IP networks. TACACS+ packets are formatted using conventions outlined in The TACACS+ Protocol Version 1.78.

Hope that clear out your query !!

If helpful do rate the post

Ganesh.H

New Member

Re: How does ACS check redundancy?

Thanks.  But it still does not answer my question.

Basically, ACS is installed on Windows.  Often the TACACS service is hung but Windows server itself is working.  The redundancy command on the router does not fail over to the second TACACS server because the Windows server is working.  How do I solve this issue?

Thanks.

Re: How does ACS check redundancy?


Thanks.  But it still does not answer my question.

Basically, ACS is installed on Windows.  Often the TACACS service is hung but Windows server itself is working.  The redundancy command on the router does not fail over to the second TACACS server because the Windows server is working.  How do I solve this issue?

Thanks.

Hi,

To set the interval that the server waits for a server host to reply, use the tacacs-server timeout sec global configuration command in cisco switches.

seconds

Integer that specifies the timeout interval in seconds (between 1 and 300). The default is 5 seconds.

Hope that help !!

If helpful do rate the post

Ganesh.H

New Member

Re: How does ACS check redundancy?

Hi Ganesh.H,

Thanks for the reply.  Looking at the command documentation, it states:

"If the command is not configured, the timeout interval is 5 seconds."

So it is default configured regardless I enter this command or not.  However, this command does not work as TACACS service does not fail over.  Any other idea?

Re: How does ACS check redundancy?

Hi Ganesh.H,

Thanks for the reply.  Looking at the command documentation, it states:

"If the command is not configured, the timeout interval is 5 seconds."

So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?

Kevin,

This command is not default configured in cisco swithces the default parameter is 5 sec if you configure tacas server timeout only without sepcifying the time in sec.

HTH

Ganesh.H

831
Views
0
Helpful
5
Replies