Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
3
Replies

Redundant ACS Configuration - IP Address Allocation

dtjacob
Level 1
Level 1

‎11-09-2006 03:32 PM - edited ‎03-10-2019 02:50 PM

I have remote users that connect to the corporate network via vpn terminating on a VPN3k at the primary site. These users are authenticated and given IP addresses by Cisco Secure ACS. There is a backup site where the backup ACS is deployed. I would like for the remote users to be authenticated by the backup ACS when the primary is unavailable. Each ACS is configured with subnets that are advertised at its location. In other words, the IP address that are given to the remote users are from different ranges. Is it possible to configure the ACS to give the remote users an IP address from the range deployed at the primary site when they are connecting to the vpn3k located at the primary site but are being authenticated by the ACS from the backup site?

Labels:
0 Helpful
3 Replies 3

trmccart
Cisco Employee
Cisco Employee

‎11-09-2006 08:42 PM

With VPN hardware clients, I have done just this by using VRRP on the VPN concentrators with RRI (Reverse Route Injection).

The issue is that you need the 'network' to learn about the presence of the IP address residing off the back-up VPN concentrator.

Can this be done for software clients? I don't know...

0 Helpful

trmccart
Cisco Employee
Cisco Employee
In response to trmccart

‎11-10-2006 09:35 PM

Per the documentation, you can setup RRI for software clients.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a86.shtml

~Troy

0 Helpful

trmccart
Cisco Employee
Cisco Employee

‎11-10-2006 10:16 PM

Dylan,

I recognized that I didn't really answer your question. You may have both ACS servers server the same IP Address to the client regardless of which VPN Concentrator is active. The key element being the advertisement of the client's IP address back into the network. If you are running OSPF/RIP then you may have the VPN Concentrator advertise the client's IP address via OSPF (or RIP) back into the network.

The ramification is the number of 32-bit mask routes that you may be injecting into your network.

Cheers,

Troy

0 Helpful
Customers Also Viewed These Support Documents