topic How to configure Radius failover in ACS 5.1 in Network Access Control

How to configure Radius failover in ACS 5.1

kianhowtan — Mon, 11 Mar 2019 01:20:31 GMT

Hi,

I need to configure the ACS 5.1 to meet the following requirement :-

1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential

2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.

I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.

Can any expert out there advise on the configuration portion?

regards

How to configure Radius failover in ACS 5.1

Nicolas Darchis — Mon, 22 Aug 2011 09:36:11 GMT

In the users and identity menu, click on "identity store sequence".

Create a new sequence that will be composed of your RSA and then the internal store.

In your service policy, instead of pointing the identity store to the RSA server, point it to the sequence you created.

Regards,

Nicolas

How to configure Radius failover in ACS 5.1

kianhowtan — Thu, 25 Aug 2011 12:42:09 GMT

Hi Nicolas,

Thanks of the help.

I tried out your method. But I am still encounting the "same" problem.

When I bring down the RSA server, my internal account is still not able to login successfully.

From the logging, the failure is due to the "invalid account" in my RSA server (so apparently it did not roll over to the internal store for the next authentication sequence).

This is what i configured:

I defined "Authentication_Sequence" under the "identity store sequence".

> RSA

> Internal Hosts

Then under Access Policy (Default Network Access),

I selected "Authentication_Sequence" under the identity field.

Not too sure where i missed out

regards

How to configure Radius failover in ACS 5.1

Nicolas Darchis — Thu, 25 Aug 2011 12:50:11 GMT

the configuration seems correct. However it would seem that ACS doesn't realize that the RSA is down. How did you turn the RSA down ? off completely ?

How to configure Radius failover in ACS 5.1

kianhowtan — Thu, 25 Aug 2011 13:29:54 GMT

I just simply disconnect the RSA server from the network so that ACS will not be able to reach RSA

How to configure Radius failover in ACS 5.1

kianhowtan — Fri, 26 Aug 2011 05:59:17 GMT

Hi,

To add on, the error is saying that the authentication failure is due to ' ACS is not able to establish a connection to the RSA server'

How to configure Radius failover in ACS 5.1

Nicolas Darchis — Fri, 26 Aug 2011 07:52:03 GMT

Strange ...

I didn't play much with RSA server failover. It should fail over to my opinion but ...

How to configure Radius failover in ACS 5.1

kianhowtan — Fri, 26 Aug 2011 15:58:31 GMT

It is indeed quite strange.

I found one old thread that was quite similar to my problem :

https://supportforums.cisco.com/thread/2052480

I tried out the setting, but the problem still persist.

Besides the sequence setting, Is there any setting that indicate the timeout value for a authentication store to declare "failure" and failover to the second store?

How to configure Radius failover in ACS 5.1

kianhowtan — Fri, 09 Sep 2011 11:50:14 GMT

Hi,

Are you aware of this bug :

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl05416

which could be relared to my problem?

regards

How to configure Radius failover in ACS 5.1

Nicolas Darchis — Fri, 09 Sep 2011 12:06:31 GMT

That bug is not related. It's about Active Directory. Your problem is RSA ...

How to configure Radius failover in ACS 5.1

kianhowtan — Fri, 09 Sep 2011 12:15:24 GMT

This is the reply from the TAC engineer,

> I believe that you are hitting this bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method

> =fetchBugDetails&bugId=CSCtl05416

> While the notes for this bug talk about problems with AD, the same

> problem applies to _any_ identity sequence that you create.

> For example, if you create an Identity Store Sequence with the Identity

> Stores A and B, the ACS will _not_ go to Identity B if Identity Store A

> is not available. It does not matter what the order of identity stores

> is in the sequence. This is a known issue with ACS 5.2 and there is no

> work around.

> This problem will be resolved in the next release of ACS, which will be

> ACS 5.3. The 5.3 release will allow you to select what action is to take

> place is an Identity Store becomes unavailable.

> "

So would like to seek your opinion. In addition, also found this article.

http://blog.pbmit.com/digipass2

How to configure Radius failover in ACS 5.1

Nicolas Darchis — Fri, 09 Sep 2011 12:21:37 GMT

Well if you have a TAC case ...

He logically spent time working on it and possibly checked cases affected by that bug.

As this is a forum, I'm rarely working more than a few minutes for each reply I give, so I would trust that answer over mine.

However, the bug is still Assigned and not marked as resolved yet. It was marked to be fixed for 5.3 but if it's not resolved yet, it won't be fixed in 5.3 release that comes out in 2 months 😉