Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2350
Views
5
Helpful
1
Replies

Promoting ACS from Secondary To Primary

zabbas
Level 1
Level 1

‎10-04-2002 07:41 AM - edited ‎02-21-2020 10:04 AM

Scenario: Currently have a ACS (3.02) for Win2K, we recently purchased another server (faster) to act as a secondary AAA server.

Question:

1) Once the initial replication occurs between the old server (primary) to the new server (secondary), are there any specific steps to make the secondary primary and primary secondary ?? Only because the new server we bought is faster

2) Will AAA logs get replicated over as well after teh initail replication ?

3) When doing daily failed attempt log checks, does one have to check both servers ?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

jekrauss
Level 1
Level 1

‎10-05-2002 03:52 PM

Z,

1) Which box is primary is defined in two different ways:

On the AAA client (switch, router, pix, etc), the first aaa server listed is the primary. The second is the secondary. So, if you want to start using the second box, then list it's ip address first in your router config.

Also, for the purposes of replication, one box is considered Master and one is considered Slave (or primary and secondary). Keep in mind that the ACS boxes don't know whether they are primary or secondary servers in relation to the AAA clients - again, that's determined by the clients.

So, if you want to make the new box the primary, then make it the initiator of replication, and make the secondary a received. Then, configure all your AAA clients such that the new box is listed as the first aaa server.

There are other ways to do this, but this works well in most cases.

2) No, the logs don't get replicated - they only apply for the individual AAA server. Also, keep in mind that if you are authenticating to an external DB like NT, LDAP, Token Servers, etc, be aware that this information is NOT replicated and must be manually configured. That's because each box has there own dll's for the external DB's that must be configured with that ACS box's information.

3) You only have to check both if you have AAA clients authenticating to both.

Best practices note: It is strongly recommended that you schedule replication AND backups to occur on a regular basis during low demand periods.

HTH

Jeff

Customers Also Viewed These Support Documents