https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987803#M207719 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>The ACS doesn't work like an ASA where you can have one active and the other standby. What you can do is to have one primary and another as the secondary, where depending on your TACACS+/Radius commands the authentication server role will change, for example:</P><P></P><P>tacacs-server host 10.0.0.1 key xxx</P><P>tacacs-server host 20.0.0.1 key xxx</P><P></P><P>This configuration means that the router will try to contact 10.0.0.1 always, but if this server goes down, the router will try to contact 20.0.0.1 until the 10.0.0.1 is up again.</P><P></P><P>So as you can see the ACS servers doesn't have control about which will be the active server, only which is the primary and which is the secondary (primary and secondary is important because you configure the settings in the primary and this one replicates those changes to the secondary).</P><P></P><P>Documentation:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1066095">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1066095</A></P></BODY></HTML> Wed, 30 May 2012 16:23:20 GMT mauzamor 2012-05-30T16:23:20Z https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987802#M207717 <P>Hi </P><P></P><P>I have to configure Cisco ACS for Active/Passive role. I am looking for some documentation on that on cisco website but can not find it.</P><P></P><P>Can anyone suggest me proper best practice documentation ?</P><P></P><P>Thank you,</P><P>Nilay</P> Mon, 11 Mar 2019 02:08:48 GMT https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987802#M207717 Nilaykumar Patel 2019-03-11T02:08:48Z https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987803#M207719 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>The ACS doesn't work like an ASA where you can have one active and the other standby. What you can do is to have one primary and another as the secondary, where depending on your TACACS+/Radius commands the authentication server role will change, for example:</P><P></P><P>tacacs-server host 10.0.0.1 key xxx</P><P>tacacs-server host 20.0.0.1 key xxx</P><P></P><P>This configuration means that the router will try to contact 10.0.0.1 always, but if this server goes down, the router will try to contact 20.0.0.1 until the 10.0.0.1 is up again.</P><P></P><P>So as you can see the ACS servers doesn't have control about which will be the active server, only which is the primary and which is the secondary (primary and secondary is important because you configure the settings in the primary and this one replicates those changes to the secondary).</P><P></P><P>Documentation:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1066095">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1066095</A></P></BODY></HTML> Wed, 30 May 2012 16:23:20 GMT https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987803#M207719 mauzamor 2012-05-30T16:23:20Z https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987804#M207720 <HTML><HEAD></HEAD><BODY><P>Hello Nilay.</P><P></P><P>Mauricio is right. To expand his answer, if you have several&nbsp; ACS appliances only one of them is primary and all the other ones are&nbsp; secondary.</P><P></P><P>"Primary" and "secondary" concepts are different from "active" and "standby" concepts. All ACS are "active".</P><P></P><P>The&nbsp; switch configuration tells the switch which ACS to talk to. It can be&nbsp; one, two, three, any number of ACS. Also if there are more than one ACS,&nbsp; the switch configuration gives the preference to the first ACS declared&nbsp; in the configuration. Only if the first ACS doesn't respond at all&nbsp; then the switch will try to talk to the second ACS declared. Only if the&nbsp; second ACS doesn't respond at all then the switch will try to talk to&nbsp; the third ACS and so on.</P><P></P><P>here's an example of switch configuration with three ACS</P><P></P><P>radius-server host 192.168.1.10 key MYPASSWORD</P><P>radius-server host 192.168.1.11 key MYPASSWORD</P><P>radius-server host 192.168.1.12 key MYPASSWORD</P><P>radius-server vsa send authentication</P><P></P><P>aaa new-model</P><P>!</P><P>aaa group server radius ACS</P><P> server 192.168.1.10</P><P> server 192.168.1.11</P><P> server 192.168.1.12</P><P>!</P><P>aaa authentication dot1x default group ACS</P><P>aaa authorization network default group ACS </P><P>aaa accounting dot1x default start-stop group ACS</P></BODY></HTML> Wed, 30 May 2012 22:04:31 GMT https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987804#M207720 Eduardo Aliaga 2012-05-30T22:04:31Z https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987805#M207721 <HTML><HEAD></HEAD><BODY><P> I configured distributed deployment explained in above document and it works fire. Thank you for your help.</P><P></P><P>-Nilay</P></BODY></HTML> Fri, 01 Jun 2012 19:05:52 GMT https://community.cisco.com/t5/network-access-control/acs-appliance-failover-high-availibility-documentation/m-p/1987805#M207721 Nilaykumar Patel 2012-06-01T19:05:52Z