We are starting to use ACS 3.0/NT for our router logins. We have two boxes and have successfully set them up for replication. I can get the tacacs+ logins to work as long as the first server in the 'tacacs-server host ..." list is available. If I take the first server in the list offline i am not able to login. What do I need to do make the router failover to the second server if the first one is unavailable? Thanks!!!
You need to configure the all the tacacs server using "tacacs-server host .." command in the router..Router will follow the top-down way to contact them during authentication so if first tacacs will not respond, it will go to the next one..Make sure that you have configured that way..
If its configured like that and it dosen't work..lets have following debug
It is already configured like that... I have found the problem to be the following...
I removed the 'master' tacacs-server host entry from the router to try to have the router authenticate only to the backup acs server. The authentication fails. When I looked at the failed attempts log it shows that the authentication failed because the user was not mapped to the correct group, it is shown as being mapped to the default group.
We are using our NT domain to provide the authentication. We then have an NT group mapped to an ACS group which has permissions to login to the routers. Apparently these group mappings do not get replicated during replication?? Is this a feature or a bug?
After adding the mapping manually everything is working fine now.
Each ACS box must be separately configured for authentication to external databases (NT, NDS, SecurID, etc). This makes sense since the box you're replicating from has no idea if the box you are replicating to is a member of the appropriate domain, has the software components installed necessary for token servers to operate correctly, etc.
I hace found that it is best to start out with a clean install of the the backup
The steps below assume you are using a primary/seconard approach. Once it is setup all changes should be made on the primary then replicated out to the secondary.
1) you will want to add the backup server in the Network configuration menu (Make sure you click on 'Submit + Restart'
2) Go into System configuration > CiscoSecure Database Replication
3) Make sure that Send is check for all of the items you want to replicate
4) at the bottom of the screen move the backup server from the 'AAA Servers' to the 'Replication' on the right side, then click submit.
1) Install the ACS software will all of the defaults (make sure you select Database replication when prompted)
2) after the software is setup and you have configured an administrator, go into the Network Configuration and add the Primary ACS server to the AAA Server list (be sure you use the same password as you used before)
3) Make sure you submit & restart
4) from System Configuration go into Database Replication
5) uncheck all of the send and check all of the receive. Do not make any changes to the Replication Partners Section (the primary should still be listed as a AAA Server)
Once this is finished go back to the Primary server and go into Database Replication and click Replicate Now. After you do this go into 'Reports and Activitiy' and choose 'Database Replication'. Then choose the first one in the list. This will tell you if the replication has succeeded or not.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :