Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 3.0/NT Failover

We are starting to use ACS 3.0/NT for our router logins. We have two boxes and have successfully set them up for replication. I can get the tacacs+ logins to work as long as the first server in the 'tacacs-server host ..." list is available. If I take the first server in the list offline i am not able to login. What do I need to do make the router failover to the second server if the first one is unavailable? Thanks!!!

Cisco Employee

Re: ACS 3.0/NT Failover

You need to configure the all the tacacs server using "tacacs-server host .." command in the router..Router will follow the top-down way to contact them during authentication so if first tacacs will not respond, it will go to the next one..Make sure that you have configured that way..

If its configured like that and it dosen't work..lets have following debug

debug aaa authentication

debug tacacs


New Member

Re: ACS 3.0/NT Failover

It is already configured like that... I have found the problem to be the following...

I removed the 'master' tacacs-server host entry from the router to try to have the router authenticate only to the backup acs server. The authentication fails. When I looked at the failed attempts log it shows that the authentication failed because the user was not mapped to the correct group, it is shown as being mapped to the default group.

We are using our NT domain to provide the authentication. We then have an NT group mapped to an ACS group which has permissions to login to the routers. Apparently these group mappings do not get replicated during replication?? Is this a feature or a bug?

After adding the mapping manually everything is working fine now.

New Member

Re: ACS 3.0/NT Failover

Each ACS box must be separately configured for authentication to external databases (NT, NDS, SecurID, etc). This makes sense since the box you're replicating from has no idea if the box you are replicating to is a member of the appropriate domain, has the software components installed necessary for token servers to operate correctly, etc.



New Member

Re: ACS 3.0/NT Failover

I am sorry to interrupt, but from your message i read that you have managed to setup two ACS 3.0 servers with dbase replication.

My question is how ?

We have 3.0.1 build 40 and are still unsuccessful.

Please help

New Member

Re: ACS 3.0/NT Failover

I hace found that it is best to start out with a clean install of the the backup


The steps below assume you are using a primary/seconard approach. Once it is setup all changes should be made on the primary then replicated out to the secondary.

Primary Server

1) you will want to add the backup server in the Network configuration menu (Make sure you click on 'Submit + Restart'

2) Go into System configuration > CiscoSecure Database Replication

3) Make sure that Send is check for all of the items you want to replicate

4) at the bottom of the screen move the backup server from the 'AAA Servers' to the 'Replication' on the right side, then click submit.

Secondary server

1) Install the ACS software will all of the defaults (make sure you select Database replication when prompted)

2) after the software is setup and you have configured an administrator, go into the Network Configuration and add the Primary ACS server to the AAA Server list (be sure you use the same password as you used before)

3) Make sure you submit & restart

4) from System Configuration go into Database Replication

5) uncheck all of the send and check all of the receive. Do not make any changes to the Replication Partners Section (the primary should still be listed as a AAA Server)

Once this is finished go back to the Primary server and go into Database Replication and click Replicate Now. After you do this go into 'Reports and Activitiy' and choose 'Database Replication'. Then choose the first one in the list. This will tell you if the replication has succeeded or not.

you can contact me at if you have any other questions.

Best of Luck!!


New Member

Re: ACS 3.0/NT Failover

The setting on the secundairy server did the trick. Leave the server1 listed on the AAA-server section (on the left) and it works.

Thanks a lot Jason.

CreatePlease to create content