11-04-2009 04:37 AM - edited 03-10-2019 04:46 PM
Dear All,
I have few questions of ACS4.2.
I have got 2 Liecences for Two ACS 4.2 servers and i have done the installation on two servers. my questions here
is during the installation it has never asked for liecansing key. so then whats the use of liecensaning key
2 Question:
My design requires one is the primay ACS and other will be the seconday ACS .
if primay fails with out any delay it should contact secondary server, and if both the servers are not reachable
it should ask for local passwords with out any dealy.
Finally end user should not be affected with failure of ACS.
3 Question: is the config diffres for diffrent models of routers and switches
please find my proposed config
----------------------------------------
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
---------------------------------
tacacs-server host X.X.X.X(primary)
tacacs-server host Y.Y.Y.Y(SECONDARY)
tacacs-server timeout 5
tacacs-server directed-request
tacacs-server key 7 XXXXXXXXXXXX
--------------------------------
line con 0
password 7 001014030D511C08260F68700001
login authentication no_tacacs
line vty 0 4
password 7 03105C0E0F05364267273D12345
line vty 5 15
password 7 03105C0E0F05364267212345
11-04-2009 05:58 AM
Hi Adhitya,
1.] ACS for Windows doesn't require any kind of license/ serial number/ key. As you have the ACS installation kit for windows, you simply need to install it on supported Microsoft platform, it won't ask for any key or license.
However, At any given point of time you can run this software on one platform. The single contract can not be used to install ACS on multiple machines in your production network.
Without license you cant get any further updates/Tac support, since ACS software's are not listed on this site or in your cisco profile.
2] In the case of failover there will be definitely delay. We have primary, secondary and local with timeout set to 5 sec for each try and by-default there will be three retries. If both server goes down it will take around 35 seconds to reach local database.
3. The proposed config looks perfect.
HTH
JK
-pls rate helpful posts-
11-04-2009 07:44 AM
HI,
Thanks very much for the qucik response, with the present config we have delay in typing the commands when the Both servers are not reachale and we login via local password, Could you please tell me how can it be avoided in the new desing
present config:-
--------
aaa new-model
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
tacacs-server host a.a.a.a
tacacs-server host b.b.b.b
tacacs-server directed-request
tacacs-server key 7 ***********
line con 0
password 7 ***********
login authentication no_tacacs
line vty 0 4
password 7 **************
line vty 5 15
password 7 **********
--------------
Can i do the same config for all model of routers and switches, please comment on the same
Adhitya
11-05-2009 07:43 AM
Hi ALl
Still expecting more answers on this, kindly update me
Adhitya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide