Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
0
Helpful
3
Replies

Dual authentication (ACS 4.1 and ACS 5.1)

DOUG DAVIDSON
Level 5
Level 5

‎05-14-2011 10:22 PM - last edited on ‎03-25-2019 05:27 PM by Community Manager

I am getting ready to install a new ACS 5.1 server to replace my current 4.1 acs box. I wanted to start off with a fresh install rather than upgrading all of my 4.1 data.

Can I have devices (ASA for VPN authentication, routers & switches for user authentication) use both for authentication while I get all the users configured in the new box?

Thanks,

Doug

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎05-15-2011 02:00 PM

Doug,

You can use any network device point to both of the ACS servers for authentication, however if I understand your question correctly is that you probably want the ASA or the network device to point to the ACS 4.1 unit only if the user doesnt exist in the ACS 5.x appliance. Is that correct?

If so, you will not be able to deploy this configuratoin since the ACS will send a valid response if the user isnt present in it's configuration. Therefore the ASA or network device group will deny the session and not use the next radius server configured.

The only intent of using multiple radius or tacacs servers are configured is if one were to go down and to stop replying to authentication requests, then a dead-criteria is met and then the next server is used for authentication.

One approach to use is to phase the new ACS appliance in your network, and then use the other acs appliance as a backup so if you run into any issues you can place the old one back into production, then correct what went wrong with the primary.

Hope this helps,

Tarik

0 Helpful

DOUG DAVIDSON
Level 5
Level 5
In response to Tarik Admani

‎05-15-2011 04:55 PM

What I was hoping to do is have both the 4.1 box and the 5.1 box defined and it use the 4.1 box first and if it failed then try the 5.1 box if unsuccessful.

Any suggestions on how to accomplish this if it is possible.

Thanks,

Doug

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to DOUG DAVIDSON

‎06-11-2011 11:53 PM

Hi,

I think you can do that. Try defining an aaa server group. Define both the servers in the group. Use this server group in the method lists on the routers and switches. you can use this aaa server group on the VPN authentication as well.

Cisco ASA configured with two AAA servers under the server group called mygroup.

Chicago# configure terminal

Chicago(config)# aaa-server mygroup host 172.18.124.11

Chicago(config-aaa-server)# retry-interval 3

Chicago(config-aaa-server)# timeout 30

Chicago(config-aaa-server)# key cisco123

Chicago(config-aaa-server)# exit

Chicago(config)# aaa-server mygroup host 172.18.124.12

Chicago(config-aaa-server)# retry-interval 3

Chicago(config-aaa-server)# timeout 30

Chicago(config-aaa-server)# key cisco123

Chicago(config-aaa-server)# exit

Chicago(config)# exit

AAA server group on router:

Router(config) aaa group server {tacacs+ | radius} group-name

Router(config-sg radius) server 1.1.1.1 

Router(config-sg radius) server 2.2.2.2 

Router(config-sg radius) server 3.3.3.3 

Router(config) end

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents