https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170406#M344991 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>thanks for your answer. normally we are working with f5 load balancers. so it should also work with them.</P><P></P><P>bye</P><P>Torsten</P></BODY></HTML> Tue, 24 Feb 2009 07:47:50 GMT t.waibel 2009-02-24T07:47:50Z https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170404#M344937 <P>Hi,</P><P></P><P>we want to rebuilt our design. In the future we want to have 4 ACS server behind a pair of load balancer. Does anybody knows whether the ASC server works with a load balancer.</P><P></P><P>thanks for your answers.</P><P>Torsten Waibel</P> Sun, 10 Mar 2019 23:20:59 GMT https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170404#M344937 t.waibel 2019-03-10T23:20:59Z https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170405#M344955 <HTML><HEAD></HEAD><BODY><P>Yes it does! We will be deploying 4 ACS servers behind an ACE shortly.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 23 Feb 2009 17:23:28 GMT https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170405#M344955 Collin Clark 2009-02-23T17:23:28Z https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170406#M344991 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>thanks for your answer. normally we are working with f5 load balancers. so it should also work with them.</P><P></P><P>bye</P><P>Torsten</P></BODY></HTML> Tue, 24 Feb 2009 07:47:50 GMT https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170406#M344991 t.waibel 2009-02-24T07:47:50Z https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170407#M345003 <HTML><HEAD></HEAD><BODY><P>What might not be immediately obvious is that some protocols will load balance better than others.</P><P></P><P>Most LBs use a "sticky" timer to ensure that multi-message authentication exchanges (like EAP) will get routed to the same ACS server.</P><P></P><P>Thats OK, but sticky timers are normally measured in seconds.</P><P></P><P>ACS may keep 802.1x/SSL session state for hours with supplicants performing periodic re-keying over the session lifetime. </P><P></P><P>A worst case example: a wireless lan secured using a one-time password like RSA. If a periodic rekey goes to the wrong ACS (that doesnt hold the session state) it will trigger a new full authentication and result in the user having to dig out their RSA token again.</P><P></P><P>Just something to bear in mind.. the sticky timer needs to be as long as the re-key/re-authenticate time.</P></BODY></HTML> Wed, 25 Feb 2009 10:06:03 GMT https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170407#M345003 darpotter 2009-02-25T10:06:03Z https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170408#M345022 <HTML><HEAD></HEAD><BODY><P>Thanks darpotter.</P><P></P><P>we use the ACS server only for TACACS and RADIUS Authentication, Authorization and Accounting. So we need to know whether a f5 load balancer will work together with 4 ACS server. Will the load balancer distribute the requests from one router round robin to all ACS server or will only one ACS server be responsible for the requests from a router.</P></BODY></HTML> Wed, 25 Feb 2009 10:16:14 GMT https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170408#M345022 t.waibel 2009-02-25T10:16:14Z https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170409#M345040 <HTML><HEAD></HEAD><BODY><P>Good point, we sticky by source IP.</P></BODY></HTML> Thu, 26 Feb 2009 14:14:36 GMT https://community.cisco.com/t5/network-access-control/acs-and-load-balancer/m-p/1170409#M345040 Collin Clark 2009-02-26T14:14:36Z