Device login fallback to ACS incae External Identity Store is not available

acharyr123 · ‎05-09-2012

Hi,

I have Cisco ACS 5.1 running in TACACS+ mode. For 2 way authentication purpose i do have a 3rd party Radius Identity Store. ACS & the 3rd party Radius server is integrated via Radius. Currently device login process works something like below:

User wants to login to cisco device sends TACACS+ request to ACS-> ACS forwards the same request to the Radius server-> Radius server generates a six digit token to the user. This is perfectly working.

I want, device login should fallback to ACS incase my 3rd party Radius Server is down.

In Radius Identity Sequence, i have put (1) Radius Server (2) Local Users & tested, but it didn't work...

In the logs i can find, each & every request is going to the Radius server & there is a timeout message...

Can someone suggest me...

jrabinow · ‎05-10-2012

This issue is resolved in ACS 5.3. In the identity sequence there is an advanced option:

If access to the current identity store failed

[ ] Break Sequence

[ ] Continue to next identity store in the sequence

Access to the identity store is considered to have failed if can't establish communicaiton; as in your case where there is a timeout. By default the "Break Sequence" option is selected and no further processing of the identity sequence is donr

If you select "Continue to next identity store in the sequence" it will process the next store in the sequence in case there is a timeout.

Realize that you are only on ACS 5.1 and this would require an upgrade......

(note that if you upgrade to ACS 5.3 it is recommended to immediately install patch 4)