Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two ACS Server failover

hi all,

we have a asa firewall,and we want to authentication login user by ACS server ,

in order to eliminate single failure,we build two ACS server and make one as backup,we also use two protocol tacacs+ and RADIUS.

I just want to know how long will take,if the active ACS server failed and the login is authenticated by standby ACS.

I have no idea about any "keyword" to search,so please kindly help me,or could you provide a Doc , I will learn it by myself.

think you very much.

Everyone's tags (2)
5 REPLIES
Cisco Employee

Two ACS Server failover

Generally in failover scenarios we create AAA server group on ASA. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.

To create a server group and add AAA servers to it, follow these steps:

Step 1 For each AAA server group you need to create, follow these steps:

a.] Identify the server group name and the protocol. To do so, enter the following command:

hostname(config)# aaa-server server_group protocol radius

For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.

You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode.

When you enter a aaa-server protocol command, you enter group mode.

b.] If you want to specify the maximum number of requests sent to a AAA server in the group before trying the next server, enter the following command:

hostname(config-aaa-server-group)# max-failed-attempts number

The number can be between 1 and 5. The default is 3.

Also, the default timed out for a server is 5 seconds so if the first server in the group is not responding the ASA will take 5 seconds * 3 attempts = 15 seconds before it tries second server in the group.

If all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried that could be LOCAL database as well. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.

If you do not have a fallback method, the security appliance continues to retry the servers in the group.

c.]  If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:

hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}

Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.

The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default is 10 minutes.

The timed keyword reactivates failed servers after 30 seconds of down time.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Two ACS Server failover

Hi sir,

I truly appreciate it , It help me solve the problem.

I have another two questions:

If the first ACS server failed for a long time.and ASA need to attempt every time by sent request and it may cost 30s which seems to be a waste of time.

1/Is there any mechanism that ASA skip the failure device and attempt second device first?

2/If the former failure device turn to normal , Is there any mechanism that ASA will switchover to sent request to this ACS server first?

Best regards,

Zhongyu Huang

Cisco Employee

Re: Two ACS Server failover

hostname(config-aaa-server-group)# reactivation-mode timed

When you use this command in addition to your aaa command so in case your PRIMARY radius server goes down and ASA switch over to SECONDARY radius server. The timed keyword will help checking the status of PRIMARY server after every 30 seconds and that would not be transparent to end user.

Regards,

Jatin

-Do rate helpful request.

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Two ACS Server failover

Hi sir ,

Is very kind of you , think you so much again!

Best regards,

Zhongyu Huang

From: jkatyal

Date: 2011-11-23 17:39

To: Zhongyu Huang

Subject: - Re: Two ACS Server failover

Home

Re: Two ACS Server failover

created by jkatyal in AAA, Identity and NAC - View the full discussion

hostname(config-aaa-server-group)# reactivation-mode timed

When you use this command in addition to your aaa command so in case your PRIMARY radius server goes down and ASA switch over to SECONDARY radius server. The timed keyword will help checking the status of PRIMARY server after every 30 seconds and that would not be transparent to end user.

Regards,

Jatin

-Do rate helpful request.

Reply to this message by going to Home

Start a new discussion in AAA, Identity and NAC at Home

Cisco Employee

Two ACS Server failover

Little bit more explanation for you.

https://supportforums.cisco.com/message/3931298#3931298

Jatin Katyal


- Do rate helpful posts -

~BR Jatin Katyal **Do rate helpful posts**
5530
Views
10
Helpful
5
Replies
CreatePlease login to create content