Re: Redundant ACS Configuration - IP Address Allocation

dtjacob · ‎11-09-2006

I have remote users that connect to the corporate network via vpn terminating on a VPN3k at the primary site. These users are authenticated and given IP addresses by Cisco Secure ACS. There is a backup site where the backup ACS is deployed. I would like for the remote users to be authenticated by the backup ACS when the primary is unavailable. Each ACS is configured with subnets that are advertised at its location. In other words, the IP address that are given to the remote users are from different ranges. Is it possible to configure the ACS to give the remote users an IP address from the range deployed at the primary site when they are connecting to the vpn3k located at the primary site but are being authenticated by the ACS from the backup site?

trmccart · ‎11-09-2006

With VPN hardware clients, I have done just this by using VRRP on the VPN concentrators with RRI (Reverse Route Injection).

The issue is that you need the 'network' to learn about the presence of the IP address residing off the back-up VPN concentrator.

Can this be done for software clients? I don't know...

trmccart · ‎11-10-2006

Per the documentation, you can setup RRI for software clients.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a86.shtml

~Troy

trmccart · ‎11-10-2006

Dylan,

I recognized that I didn't really answer your question. You may have both ACS servers server the same IP Address to the client regardless of which VPN Concentrator is active. The key element being the advertisement of the client's IP address back into the network. If you are running OSPF/RIP then you may have the VPN Concentrator advertise the client's IP address via OSPF (or RIP) back into the network.

The ramification is the number of 32-bit mask routes that you may be injecting into your network.

Cheers,

Troy