Solved: Cisco ACS 5.2 Authentication and Authorization process

vyas.nilay · ‎05-08-2016

I am designing a network and I have been asked some questions which I am not sure how to answer those so I thought to put that in the forum to see if I can get some help.

To start with Thanks a lot for reading this post and thanks if you can add some feedback to help me out.

setup:

Two ACS on each data centre in Hybrid mode and server the tacacs+ request to the switches per dc and fall back to the each other on the failure scenario.

ACS - 5.2 version planning to upgrade to 5.8 if it is stable.

Desire result

If users fails authentication to AD then it should reject.

If AD failes on ACS then ACS should check other ACS and if other ACS has AD connection then it should diver the request to other ACS..

I am sure it is not possible but that is was the primary request.. I objected so now the new request

If AD fails then ACS should fall back to local database. if local database can't authenticte then it should allow switch to query the same request to secondary ACS rather then reject the request.

Reason behind: Local database is only for network admin but might be some contractor need to access the switches or other devices and they will have the entry in AD so if AD fails they can still authenticate agaist DC2 AD via DC2 ACS.

I am thinking to configure

Authentication rule 1 - authenticate again AD,

If authentication failed - Reject

If usernot found - Reject

If process failed - Continue

that should take to default which will be internal data base.

if authentication failed - Reject

if user not found - drop

if process failed - drop

This should give no response to switch and then switch should try the second radius server in the list..

Please someone explain this flow chart for me.. and that is correct assumptions..

I also would like to know if there is some good flow chart which I can refer to see the entire process and can use in my presentation..

Thanks a lot for reading it and replying it..

Francesco Molino · ‎05-10-2016

Hi

I'm not sure I get your question, however I'll try to answer in the way I've understood.

If you send a drop as result, it means ACS drops the request, causing the AAA client to retry another fail over to another AAA server.

A flow chart was already dropped on the community some years ago:

(https://supportforums.cisco.com/discussion/11811801/aaa-servers#3931298)

I hope this was what you're expecting.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎05-10-2016

On radius Drop means that the server do not respond to the NAD and NAD will treat as if RADIUS server is dead.

You have commands to manage dead status.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎05-10-2016

Hi

I'm not sure I get your question, however I'll try to answer in the way I've understood.

If you send a drop as result, it means ACS drops the request, causing the AAA client to retry another fail over to another AAA server.

A flow chart was already dropped on the community some years ago:

(https://supportforums.cisco.com/discussion/11811801/aaa-servers#3931298)

I hope this was what you're expecting.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

vyas.nilay · ‎05-10-2016

Thanks.. that is a good help... however one thing I would like to be more clear ...

if the ACS configure as ,

User try to login with say user1.. which is AD user..

ACS lost the connection to AD but Switch still has the connection to ACS so switch will send a request to ACS..

ACS will try to authentication against AD but AD and follow the flow chart for following configuration.

Authentication rule 1 - authenticate again AD,

If authentication failed - Reject

If usernot found - Reject

If process failed - Continue

AS AD is not reachable.. process will fail and it will continue to next or default rule.. and follow the following checks

that should take to default which will be internal data base.

if authentication failed - Reject

if user not found - drop

if process failed - drop

now it will not find user1 in local database because it is not there.. so drop the packet... does it mean it will send no reply to switch?

and if switch not receive any reply for authentication request will it try to go with another servery by marking this as dead server?

see the problem is if two users try sametime.. one is user1 and second is admin..

now admin is local database so that will go through with step2 so for switch server is live as it respond.. but for user1 it drop the packet because it couldn't find and if ACS does not reply then server is dead for switch.. is that correct assumption?

if so then it will push the dead timer to 10 min and following all request will go to 2nd server and local user will no longer work.. am I right?

so two questions here

what happens with drop packet.. what switch receive if it receives anything or does it trigger as dead server for switch?

ta

Nilay.

Francesco Molino · ‎05-10-2016

On radius Drop means that the server do not respond to the NAD and NAD will treat as if RADIUS server is dead.

You have commands to manage dead status.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question