Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1970
Views
0
Helpful
11
Replies

How to configure Radius failover in ACS 5.1

kianhowtan
Level 1
Level 1

‎08-22-2011 12:23 AM - edited ‎03-10-2019 06:20 PM

Hi,

I need to configure the ACS 5.1 to meet the following requirement :-

1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential

2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.

I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.

Can any expert out there advise on the configuration portion?

regards

Labels:
0 Helpful
11 Replies 11

Nicolas Darchis
Cisco Employee
Cisco Employee

‎08-22-2011 02:36 AM

In the users and identity menu, click on "identity store sequence".

Create a new sequence that will be composed of your RSA and then the internal store.

In your service policy, instead of pointing the identity store to the RSA server, point it to the sequence you created.

Regards,

Nicolas

0 Helpful

kianhowtan
Level 1
Level 1
In response to Nicolas Darchis

‎08-25-2011 05:42 AM

Hi Nicolas,

Thanks of the help.

I tried out your method. But I am still encounting the "same" problem.

When I bring down the RSA server, my internal account is still not able to login successfully.

From the logging, the failure is due to the "invalid account" in my RSA server (so apparently it did not roll over to the internal store for the next authentication sequence).

This is what i configured:

I defined "Authentication_Sequence" under the "identity store sequence".

> RSA

> Internal Hosts

Then under Access Policy (Default Network Access),

I selected "Authentication_Sequence" under the identity field.

Not too sure where i missed out

regards

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to kianhowtan

‎08-25-2011 05:50 AM

the configuration seems correct. However it would seem that ACS doesn't realize that the RSA is down. How did you turn the RSA down ? off completely ?

0 Helpful

kianhowtan
Level 1
Level 1
In response to Nicolas Darchis

‎08-25-2011 06:29 AM

I just simply disconnect the RSA server from the network so that ACS will not be able to reach RSA

0 Helpful

kianhowtan
Level 1
Level 1
In response to kianhowtan

‎08-25-2011 10:59 PM

Hi,

To add on, the error is saying that the authentication failure is due to  ' ACS is not able to establish a connection to the RSA server'

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to kianhowtan

‎08-26-2011 12:52 AM

Strange ...

I didn't play much with RSA server failover. It should fail over to my opinion but ...

0 Helpful

kianhowtan
Level 1
Level 1
In response to Nicolas Darchis

‎08-26-2011 08:58 AM

It is indeed quite strange.

I found one old thread that was quite similar to my problem :

https://supportforums.cisco.com/thread/2052480

I tried out the setting, but the problem still persist.

Besides the sequence setting, Is there any setting that indicate the timeout value for a authentication store to declare "failure" and failover to the second store?

0 Helpful

kianhowtan
Level 1
Level 1
In response to kianhowtan

‎09-09-2011 04:50 AM

Hi,

Are you aware of this bug :

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl05416

which could be relared to my problem?

regards

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to kianhowtan

‎09-09-2011 05:06 AM

That bug is not related. It's about Active Directory. Your problem is RSA ...

0 Helpful

kianhowtan
Level 1
Level 1
In response to Nicolas Darchis

‎09-09-2011 05:15 AM

This is the reply from the TAC engineer,

"

> I believe that you are hitting this bug:

>

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method

> =fetchBugDetails&bugId=CSCtl05416

> While the notes for this  bug talk about problems with AD, the same

> problem applies to _any_  identity sequence that you create.

> For example, if you create an  Identity Store Sequence with the Identity

> Stores A and B, the ACS will  _not_ go to Identity B if Identity Store A

> is not available. It does  not matter what the order of identity stores

> is in the sequence. This  is a known issue with ACS 5.2 and there is no

> work around.

>

> This problem will be resolved in the next release of ACS, which will be

> ACS 5.3. The 5.3 release will allow you to select what action is to  take

> place is an Identity Store becomes unavailable.

> "

So would like to seek your opinion. In addition, also found this article.

http://blog.pbmit.com/digipass2

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to kianhowtan

‎09-09-2011 05:21 AM

Well if you have a TAC case ...

He logically spent time working on it and possibly checked cases affected by that bug.

As this is a forum, I'm rarely working more than a few minutes for each reply I give, so I would trust that answer over mine.

However, the bug is still Assigned and not marked as resolved yet. It was marked to be fixed for 5.3 but if it's not resolved yet, it won't be fixed in 5.3 release that comes out in 2 months ;-)

0 Helpful
Customers Also Viewed These Support Documents