cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8181
Views
10
Helpful
5
Replies

Two ACS Server failover

zhohuang
Level 1
Level 1

hi all,

we have a asa firewall,and we want to authentication login user by ACS server ,

in order to eliminate single failure,we build two ACS server and make one as backup,we also use two protocol tacacs+ and RADIUS.

I just want to know how long will take,if the active ACS server failed and the login is authenticated by standby ACS.

I have no idea about any "keyword" to search,so please kindly help me,or could you provide a Doc , I will learn it by myself.

think you very much.

5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

Generally in failover scenarios we create AAA server group on ASA. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.

To create a server group and add AAA servers to it, follow these steps:

Step 1 For each AAA server group you need to create, follow these steps:

a.] Identify the server group name and the protocol. To do so, enter the following command:

hostname(config)# aaa-server server_group protocol radius

For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.

You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode.

When you enter a aaa-server protocol command, you enter group mode.

b.] If you want to specify the maximum number of requests sent to a AAA server in the group before trying the next server, enter the following command:

hostname(config-aaa-server-group)# max-failed-attempts number

The number can be between 1 and 5. The default is 3.

Also, the default timed out for a server is 5 seconds so if the first server in the group is not responding the ASA will take 5 seconds * 3 attempts = 15 seconds before it tries second server in the group.

If all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried that could be LOCAL database as well. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.

If you do not have a fallback method, the security appliance continues to retry the servers in the group.

c.]  If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:

hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}

Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.

The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default is 10 minutes.

The timed keyword reactivates failed servers after 30 seconds of down time.

Hope this helps.

Regards,

Jatin

Do rate helpful posts-

~Jatin

Hi sir,

I truly appreciate it , It help me solve the problem.

I have another two questions:

If the first ACS server failed for a long time.and ASA need to attempt every time by sent request and it may cost 30s which seems to be a waste of time.

1/Is there any mechanism that ASA skip the failure device and attempt second device first?

2/If the former failure device turn to normal , Is there any mechanism that ASA will switchover to sent request to this ACS server first?

Best regards,

Zhongyu Huang

hostname(config-aaa-server-group)# reactivation-mode timed

When you use this command in addition to your aaa command so in case your PRIMARY radius server goes down and ASA switch over to SECONDARY radius server. The timed keyword will help checking the status of PRIMARY server after every 30 seconds and that would not be transparent to end user.

Regards,

Jatin

-Do rate helpful request.

~Jatin

Hi sir ,

Is very kind of you , think you so much again!

Best regards,

Zhongyu Huang

From: jkatyal

Date: 2011-11-23 17:39

To: Zhongyu Huang

Subject: - Re: Two ACS Server failover

Home

Re: Two ACS Server failover

created by jkatyal in AAA, Identity and NAC - View the full discussion

hostname(config-aaa-server-group)# reactivation-mode timed

When you use this command in addition to your aaa command so in case your PRIMARY radius server goes down and ASA switch over to SECONDARY radius server. The timed keyword will help checking the status of PRIMARY server after every 30 seconds and that would not be transparent to end user.

Regards,

Jatin

-Do rate helpful request.

Reply to this message by going to Home

Start a new discussion in AAA, Identity and NAC at Home

Little bit more explanation for you.

https://supportforums.cisco.com/message/3931298#3931298

Jatin Katyal


- Do rate helpful posts -

~Jatin