Solved: ACS 4.2 " Primary and Secondary"

Hassan Ali Hassan Ali Gazal · ‎05-10-2015

Dear All,

I have two servers and installed on both of them ACS 4.2 , the primary one is configured well and all AAA clients authenticated successfully from it, also Database replication is working fine between two servers , the issue is when the primary one goes down the AAA clients not authenticated from the secondary one.

Here is the configuration on all devices:

aaa new-model
!
!
aaa group server tacacs+ CISCO
server 192.168.2.100
server 192.168.2.101
!
aaa authentication login default group CISCO local
aaa authorization exec default group CISCO if-authenticated
!
!
tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>
!
line vty 0 15

login authentication default

!

ceracaza08 · ‎05-11-2015

Hi Hassan,

Since you are using the tacacs+ group, no need for the lines below.

tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>

Another option to make sure that your secondary acs is working fine, you can remove the primary acs from your ACS group definition.

HTH

Regards,

Chris

View solution in original post

ceracaza08 · ‎05-11-2015

Key should match from your AAA client and your ACS server. Do you have access with your ACS server? I assume you know where to configure the "key"

View solution in original post

ceracaza08 · ‎05-11-2015

Hi Hassan,

Since you are using the tacacs+ group, no need for the lines below.

tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>

Another option to make sure that your secondary acs is working fine, you can remove the primary acs from your ACS group definition.

HTH

Regards,

Chris

Hassan Ali Hassan Ali Gazal · ‎05-11-2015

Thanks for your reply

ok but regarding to the server key , where can i configure it ??

as in ACS server i can't leave the password BLANK

ceracaza08 · ‎05-11-2015

Key should match from your AAA client and your ACS server. Do you have access with your ACS server? I assume you know where to configure the "key"

Hassan Ali Hassan Ali Gazal · ‎05-11-2015

i think you missed my point

for ACS server i configured password for AAA client <cisco> and on Cisco Switch you said no need for "tacacs-server host 192.168.2.100 timeout 5 key <cisco>" so if i delete this line where should i configure the key on AAA Client ? is it inside the group ??

ceracaza08 · ‎05-11-2015

Yes, the key will be configured inside the group. Add the " ip tacacs source-interface <>" inside the group.

When you do the test, ensure that the secondary is not reachable from the aaa client.

Hassan Ali Hassan Ali Gazal · ‎05-11-2015

after did what you told me still not working only Primary Server is working and if it's down all AAA clients not trying to authenticate from secondary server, the debug output showing that the AAA client trying to connect to Primary server "192.168.2.100" only, and not trying to connect to Secondary Server "192.168.2.101" here is the new configuration

aaa new-model
!
!
aaa group server tacacs+ CISCO
server-private 192.168.2.100 key <>
server-private 192.168.2.101 key <>
!
aaa authentication login default group CISCO line local
aaa authorization exec default group CISCO local if-authenticated
!
line vty 0 15

login authentication default

!

Debug Output:

2y29w: TPLUS: Queuing AAA Authentication request 223 for processing
2y29w: TPLUS: processing authentication start request id 223
2y29w: TPLUS: Authentication start packet created for 223(user)
2y29w: TPLUS: Using server 192.168.2.100
2y29w: TPLUS(000000DF)/0/NB_WAIT/436B3AC: Started 5 sec timeout
2y29w: TPLUS(000000DF)/0/NB_WAIT: socket event 2
2y29w: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
2y29w: T+: session_id 1070861255 (0x3FD40BC7), dlen 32 (0x20)
2y29w: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
2y29w: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:14 (0xE) data_len:0
2y29w: T+: user: user
2y29w: T+: port: tty2
2y29w: T+: rem_addr: 192.168.xx.xx
2y29w: T+: data:
2y29w: T+: End Packet
2y29w: TPLUS(000000DF)/0/NB_WAIT: wrote entire 44 bytes request
2y29w: TPLUS(000000DF)/0/READ: socket event 1
2y29w: TPLUS(000000DF)/0/READ: Would block while reading
2y29w: TPLUS(000000DF)/0/READ/436B3AC: timed out
2y29w: TPLUS: Authentication start packet created for 223(user)
2y29w: TPLUS(000000DF)/0/READ/436B3AC: timed out, clean up
2y29w: TPLUS(000000DF)/0/436B3AC: Processing the reply packet

ceracaza08 · ‎05-12-2015

What is the ACS version you are running? Try to remove the primary server from your tacacs config and see the logs. It should point to the IP of the secondary

Hassan Ali Hassan Ali Gazal · ‎08-02-2015

Thanks for your help it works now. the issue was with TACACS Password

Hassan Ali Hassan Ali Gazal · ‎05-11-2015

i just keep the secondary tacacs server is the group and its work fine , the issue is when the primary one goes down the AAA client not check the second TACACS server in the group