08-22-2007 12:00 AM - edited 03-10-2019 03:20 PM
Hello, i just wanna ask the config to set AAA failover if ASA couldn't contact ACS. Is that possible? I want user access by authentcating to ACS but if ASA's connection to ACS fail, it will revert authentication to ASA itself.
I see that ASA config is different than router and switch.
08-22-2007 04:21 AM
If you want that authentication should failover to another ACS server, create a aaa server group and define 2 servers in it and use this server group in the authentication command.
eg.
________________________________
aaa-server TEST protocol tacacs
aaa-server TEST host 1.1.1.1
aaa-server TEST host 2.2.2.2
aaa authentication telnet console TEST
____________________________________
So authentication will go to 1.1.1.1 if it timesout due to any reason it will fallback to 2.2.2.2
If you want failover to local ASA define it according to following :
aaa authentication telnet console TEST LOCAL
Hope this helps.
~Rohit
08-22-2007 07:07 PM
I've input
aaa authentication telnet console
But i just can log in using local user and pass. I can't use ACS authentication. As i try to input :
aaa authentication telnet console
i can use ACS authentication, but when i deny the access from ASA to ACS, it can't do anything accept blank screen when i input the user and pass and enter.
08-22-2007 07:10 PM
enable debugs and check the status:
debug aaa authentication
debug tacacs
You should get an answer if its getting fallback to local or not
08-22-2007 07:32 PM
Hi rochopra,
I get your point, thanks hehehe.
But i found that it take times to revert to LOCAL as i see in debug, it sent 3 times to ACS before revert to LOCAL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide