Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1952
Views
0
Helpful
6
Replies

ACS 3.0/NT Failover

jason-linden
Level 1
Level 1

‎06-14-2002 12:29 PM - edited ‎02-21-2020 10:00 AM

We are starting to use ACS 3.0/NT for our router logins. We have two boxes and have successfully set them up for replication. I can get the tacacs+ logins to work as long as the first server in the 'tacacs-server host ..." list is available. If I take the first server in the list offline i am not able to login. What do I need to do make the router failover to the second server if the first one is unavailable? Thanks!!!

Labels:
0 Helpful
6 Replies 6

tepatel
Cisco Employee
Cisco Employee

‎06-14-2002 03:11 PM

You need to configure the all the tacacs server using "tacacs-server host .." command in the router..Router will follow the top-down way to contact them during authentication so if first tacacs will not respond, it will go to the next one..Make sure that you have configured that way..

If its configured like that and it dosen't work..lets have following debug

debug aaa authentication

debug tacacs

Thanks...Tejal

0 Helpful

jason-linden
Level 1
Level 1
In response to tepatel

‎06-17-2002 05:06 AM

It is already configured like that... I have found the problem to be the following...

I removed the 'master' tacacs-server host entry from the router to try to have the router authenticate only to the backup acs server. The authentication fails. When I looked at the failed attempts log it shows that the authentication failed because the user was not mapped to the correct group, it is shown as being mapped to the default group.

We are using our NT domain to provide the authentication. We then have an NT group mapped to an ACS group which has permissions to login to the routers. Apparently these group mappings do not get replicated during replication?? Is this a feature or a bug?

After adding the mapping manually everything is working fine now.

0 Helpful

jekrauss
Level 1
Level 1
In response to jason-linden

‎06-17-2002 07:11 AM

Each ACS box must be separately configured for authentication to external databases (NT, NDS, SecurID, etc). This makes sense since the box you're replicating from has no idea if the box you are replicating to is a member of the appropriate domain, has the software components installed necessary for token servers to operate correctly, etc.

HTH

Jeff

0 Helpful

remyh
Level 1
Level 1

‎06-25-2002 06:42 AM

I am sorry to interrupt, but from your message i read that you have managed to setup two ACS 3.0 servers with dbase replication.

My question is how ?

We have 3.0.1 build 40 and are still unsuccessful.

Please help

0 Helpful

jason-linden
Level 1
Level 1
In response to remyh

‎06-25-2002 10:27 AM

I hace found that it is best to start out with a clean install of the the backup

server.

The steps below assume you are using a primary/seconard approach. Once it is setup all changes should be made on the primary then replicated out to the secondary.

Primary Server

1) you will want to add the backup server in the Network configuration menu (Make sure you click on 'Submit + Restart'

2) Go into System configuration > CiscoSecure Database Replication

3) Make sure that Send is check for all of the items you want to replicate

4) at the bottom of the screen move the backup server from the 'AAA Servers' to the 'Replication' on the right side, then click submit.

Secondary server

1) Install the ACS software will all of the defaults (make sure you select Database replication when prompted)

2) after the software is setup and you have configured an administrator, go into the Network Configuration and add the Primary ACS server to the AAA Server list (be sure you use the same password as you used before)

3) Make sure you submit & restart

4) from System Configuration go into Database Replication

5) uncheck all of the send and check all of the receive. Do not make any changes to the Replication Partners Section (the primary should still be listed as a AAA Server)

Once this is finished go back to the Primary server and go into Database Replication and click Replicate Now. After you do this go into 'Reports and Activitiy' and choose 'Database Replication'. Then choose the first one in the list. This will tell you if the replication has succeeded or not.

you can contact me at jlinden7@yahoo.com if you have any other questions.

Best of Luck!!

-jason

0 Helpful

remyh
Level 1
Level 1
In response to jason-linden

‎07-01-2002 01:57 AM

The setting on the secundairy server did the trick. Leave the server1 listed on the AAA-server section (on the left) and it works.

Thanks a lot Jason.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents