cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1502
Views
0
Helpful
5
Replies

How does ACS check redundancy?

kevin.hu
Level 3
Level 3

Hi,

In a router, if you configure tacacs-server host tacacs-1 tacacs-2, this is how you set up ACS redundancy.  My question is, how does router check the pulse of each tacacs server?  By ping or some other keepalive mechanism?  What does this command really do behind the scene?

What happen in our environment is that tacacs-1 services within Windows keep on stopping by itself.  We can't authenticate and the tacacs service does not fail over to tacacs-2.

1 Accepted Solution

Accepted Solutions

Hi Ganesh.H,

Thanks for the reply.  Looking at the command documentation, it states:

"If the command is not configured, the timeout interval is 5 seconds."

So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?

Kevin,

This command is not default configured in cisco swithces the default parameter is 5 sec if you configure tacas server timeout only without sepcifying the time in sec.

HTH

Ganesh.H

View solution in original post

5 Replies 5

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

In a router, if you configure tacacs-server host tacacs-1 tacacs-2, this is how you set up ACS redundancy.  My question is, how does router check the pulse of each tacacs server?  By ping or some other keepalive mechanism?  What does this command really do behind the scene?

What happen in our environment is that tacacs-1 services within Windows keep on stopping by itself.  We can't authenticate and the tacacs service does not fail over to tacacs-2.

Hi,

Actually the configuration is not like this for redundacy of tacas server in cisco switches,it should be like this in below sample :-

tacacs-server host 10.1.X.X  - Primary
tacacs-server host 10.2.X.X  - Secondary

TACACS+ is a method of information exchange between a device that provides network access tousers (the "TACACS+ client") and a device that contains authentication information for those users (the "TACACS+ server"). TACACS+ is based on AAA model: Authentication, authorization and

accounting and for your query Genrally a TACACS+ client and TACACS+ server communicate by means of TACACS+ packets sent over TCP/IP networks. TACACS+ packets are formatted using conventions outlined in The TACACS+ Protocol Version 1.78.

Hope that clear out your query !!

If helpful do rate the post

Ganesh.H

Thanks.  But it still does not answer my question.

Basically, ACS is installed on Windows.  Often the TACACS service is hung but Windows server itself is working.  The redundancy command on the router does not fail over to the second TACACS server because the Windows server is working.  How do I solve this issue?

Thanks.


Thanks.  But it still does not answer my question.

Basically, ACS is installed on Windows.  Often the TACACS service is hung but Windows server itself is working.  The redundancy command on the router does not fail over to the second TACACS server because the Windows server is working.  How do I solve this issue?

Thanks.

Hi,

To set the interval that the server waits for a server host to reply, use the tacacs-server timeout sec global configuration command in cisco switches.

seconds

Integer that specifies the timeout interval in seconds (between 1 and 300). The default is 5 seconds.

Hope that help !!

If helpful do rate the post

Ganesh.H

Hi Ganesh.H,

Thanks for the reply.  Looking at the command documentation, it states:

"If the command is not configured, the timeout interval is 5 seconds."

So it is default configured regardless I enter this command or not.  However, this command does not work as TACACS service does not fail over.  Any other idea?

Hi Ganesh.H,

Thanks for the reply.  Looking at the command documentation, it states:

"If the command is not configured, the timeout interval is 5 seconds."

So it is default configured regardless I enter this command or not. However, this command does not work as TACACS service does not fail over.  Any other idea?

Kevin,

This command is not default configured in cisco swithces the default parameter is 5 sec if you configure tacas server timeout only without sepcifying the time in sec.

HTH

Ganesh.H

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: