05-14-2011 10:22 PM - last edited on 03-25-2019 05:27 PM by ciscomoderator
I am getting ready to install a new ACS 5.1 server to replace my current 4.1 acs box. I wanted to start off with a fresh install rather than upgrading all of my 4.1 data.
Can I have devices (ASA for VPN authentication, routers & switches for user authentication) use both for authentication while I get all the users configured in the new box?
Thanks,
Doug
05-15-2011 02:00 PM
Doug,
You can use any network device point to both of the ACS servers for authentication, however if I understand your question correctly is that you probably want the ASA or the network device to point to the ACS 4.1 unit only if the user doesnt exist in the ACS 5.x appliance. Is that correct?
If so, you will not be able to deploy this configuratoin since the ACS will send a valid response if the user isnt present in it's configuration. Therefore the ASA or network device group will deny the session and not use the next radius server configured.
The only intent of using multiple radius or tacacs servers are configured is if one were to go down and to stop replying to authentication requests, then a dead-criteria is met and then the next server is used for authentication.
One approach to use is to phase the new ACS appliance in your network, and then use the other acs appliance as a backup so if you run into any issues you can place the old one back into production, then correct what went wrong with the primary.
Hope this helps,
Tarik
05-15-2011 04:55 PM
What I was hoping to do is have both the 4.1 box and the 5.1 box defined and it use the 4.1 box first and if it failed then try the 5.1 box if unsuccessful.
Any suggestions on how to accomplish this if it is possible.
Thanks,
Doug
06-11-2011 11:53 PM
Hi,
I think you can do that. Try defining an aaa server group. Define both the servers in the group. Use this server group in the method lists on the routers and switches. you can use this aaa server group on the VPN authentication as well.
Cisco ASA configured with two AAA servers under the server group called mygroup.
Chicago# configure terminal
Chicago(config)# aaa-server mygroup host 172.18.124.11
Chicago(config-aaa-server)# retry-interval 3
Chicago(config-aaa-server)# timeout 30
Chicago(config-aaa-server)# key cisco123
Chicago(config-aaa-server)# exit
Chicago(config)# aaa-server mygroup host 172.18.124.12
Chicago(config-aaa-server)# retry-interval 3
Chicago(config-aaa-server)# timeout 30
Chicago(config-aaa-server)# key cisco123
Chicago(config-aaa-server)# exit
Chicago(config)# exit
AAA server group on router:
Router(config) aaa group server {tacacs+ | radius} group-name
Router(config-sg radius) server 1.1.1.1
Router(config-sg radius) server 2.2.2.2
Router(config-sg radius) server 3.3.3.3
Router(config) end
Hope this helps.
Regards,
Anisha
P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide