https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715096#M409143 <P>Hello, i just wanna ask the config to set AAA failover if ASA couldn't contact ACS. Is that possible? I want user access by authentcating to ACS but if ASA's connection to ACS fail, it will revert authentication to ASA itself.</P><P></P><P>I see that ASA config is different than router and switch. </P> Sun, 10 Mar 2019 22:20:49 GMT Charles_Chi4 2019-03-10T22:20:49Z https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715096#M409143 <P>Hello, i just wanna ask the config to set AAA failover if ASA couldn't contact ACS. Is that possible? I want user access by authentcating to ACS but if ASA's connection to ACS fail, it will revert authentication to ASA itself.</P><P></P><P>I see that ASA config is different than router and switch. </P> Sun, 10 Mar 2019 22:20:49 GMT https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715096#M409143 Charles_Chi4 2019-03-10T22:20:49Z https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715097#M409144 <HTML><HEAD></HEAD><BODY><P>If you want that authentication should failover to another ACS server, create a aaa server group and define 2 servers in it and use this server group in the authentication command.</P><P></P><P>eg.</P><P>________________________________</P><P>aaa-server TEST protocol tacacs</P><P>aaa-server TEST host 1.1.1.1 <KEY></KEY></P><P>aaa-server TEST host 2.2.2.2 <KEY></KEY></P><P></P><P>aaa authentication telnet console TEST</P><P>____________________________________</P><P></P><P></P><P>So authentication will go to 1.1.1.1 if it timesout due to any reason it will fallback to 2.2.2.2</P><P></P><P></P><P>If you want failover to local ASA define it according to following :</P><P></P><P>aaa authentication telnet console TEST LOCAL</P><P></P><P>Hope this helps.</P><P></P><P>~Rohit</P></BODY></HTML> Wed, 22 Aug 2007 11:21:16 GMT https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715097#M409144 rochopra 2007-08-22T11:21:16Z https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715098#M409145 <HTML><HEAD></HEAD><BODY><P>I've input </P><P>aaa authentication telnet console <GROUP> LOCAL </GROUP></P><P></P><P>But i just can log in using local user and pass. I can't use ACS authentication. As i try to input :</P><P></P><P>aaa authentication telnet console <GROUP></GROUP></P><P></P><P>i can use ACS authentication, but when i deny the access from ASA to ACS, it can't do anything accept blank screen when i input the user and pass and enter.</P><P></P><P></P></BODY></HTML> Thu, 23 Aug 2007 02:07:02 GMT https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715098#M409145 Charles_Chi4 2007-08-23T02:07:02Z https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715099#M409146 <HTML><HEAD></HEAD><BODY><P>enable debugs and check the status:</P><P></P><P>debug aaa authentication</P><P>debug tacacs</P><P></P><P>You should get an answer if its getting fallback to local or not</P></BODY></HTML> Thu, 23 Aug 2007 02:10:55 GMT https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715099#M409146 rochopra 2007-08-23T02:10:55Z https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715100#M409147 <HTML><HEAD></HEAD><BODY><P>Hi rochopra,</P><P></P><P>I get your point, thanks hehehe.</P><P></P><P>But i found that it take times to revert to LOCAL as i see in debug, it sent 3 times to ACS before revert to LOCAL. </P><P></P></BODY></HTML> Thu, 23 Aug 2007 02:32:28 GMT https://community.cisco.com/t5/network-access-control/aaa-failover-in-asa/m-p/715100#M409147 Charles_Chi4 2007-08-23T02:32:28Z