RADIUS prim/sec and high-availability

JAN DEVOS · ‎06-19-2013

Hello,

We set up two ACS's in a PRI/SEC relationship, as evidenced from their respective consoles

acs1/admin# sho appl status acs

ACS role: PRIMARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'adclient'                  running
Process 'view-database'             running
Process 'view-jobmanager'           running
Process 'view-alertmanager'         running
Process 'view-collector'            running
Process 'view-logprocessor'         running

and

acs2/admin# sho app status acs

ACS role: SECONDARY

Process 'database'                  running
Process 'management'                running
Process 'runtime'                   running
Process 'adclient'                  running

from the both ACS1 and ACS2 https GUI, we observe (Syst Admin > Operations > Distrib Syst Mgt) the same status and relationship

ACS1 : Primary - online

ACS2 : Secondary - online - Replication status Updated (with a recent last update)

When testing failover :

1/ Disconnect ACS1 by disabling the switchport it connects to

2/ Trigger a reauth from a phone+PC endpoint by shut/noshut of its switchport

3/ Authentication OK against ACS2, as shown on the console of the access switch of the phone/PC

4/ PC/Phone authorized, get their DHCP address and operate normally

5/ https to ACS2 ===> returns pull down menus at the left + blank content in main panel

select sys admin > local oper (or any other item) from pulldown menu ===> returns 'ACS not found or internal server error'

So, when ACS1 is unreachable, we cannot do anything with ACS2's webinterface!

6/ Reconnect ACS1 by re-enabling its switchport

7/ HTTPS to ACS1 ===> returns pull down menus at the left + blank content in main panel + ACS : resource not found or Internal Sever Error

So, none of the ACS's are manageable tru Web interface

Note that both ACS's show on the SSH console normal application status and normal PRI/SEC roles, the same as in the pre-state shown at the beginning here.

To recover :

Stop/Restart ACS1's apps (app stop/start acs)

HTTPS to ACS1 when all 9 apps are back (takes 7 min) ==> OK now

to Distrib Syst Mgt : ACS1 = PRI/Online ACS2= SEC/Online with pending replication, changing to 'updated' replication after 2 min (hence OK)

HTTPS to ACS2 : still nothing more than left-hand pulldown menu + ACS resource not found or internal server error.

SSH to ACS2 : all four apps are there 'running', just normal (see above screenshot for reference)

Stop/Restart ACS2's apps (app stop/start acs)

from now HTTPS to ACS2 is normal

Note also that during the period of unreachability of ACS1, the monitoring/reporting does not show any authentication entries! It seems that only ACS1 is able not only to launch the monitoring & event reporter, but also to capture the relevant auth records.

What do we miss here that prevents us

- to manage ACS secondary when ACS primary is unreachable?

- to ensure continuous authentication logging and reporting while ACS primary is unreachable?

- to ensure automatic recovery of HTTPS accessbility to both ACS1 and 2 when ACS1 returns?

Tx.

Eduardo Aliaga · ‎06-23-2013

What you have described is the normal behavior.

You need to separate two different features :

1) As radius servers both ACS1 and ACS2 work all the time. You could say they are "active-active". If you deploy for example ACS3 and ACS4 then all four ACS will be active at the same time.

2) As "ACS admin" you can only have one "ACS admin" at a time. There's no automatic failover. If your "primary ACS admin" fails then you have to login to the "secondary ACS admin" and do the failover manually .

Please rate if that helps