11-22-2011 08:58 AM - edited 03-10-2019 06:34 PM
hi all,
we have a asa firewall,and we want to authentication login user by ACS server ,
in order to eliminate single failure,we build two ACS server and make one as backup,we also use two protocol tacacs+ and RADIUS.
I just want to know how long will take,if the active ACS server failed and the login is authenticated by standby ACS.
I have no idea about any "keyword" to search,so please kindly help me,or could you provide a Doc , I will learn it by myself.
think you very much.
11-22-2011 05:38 PM
Generally in failover scenarios we create AAA server group on ASA. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.
To create a server group and add AAA servers to it, follow these steps:
Step 1 For each AAA server group you need to create, follow these steps:
a.] Identify the server group name and the protocol. To do so, enter the following command:
hostname(config)# aaa-server server_group protocol radius
For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode.
When you enter a aaa-server protocol command, you enter group mode.
b.] If you want to specify the maximum number of requests sent to a AAA server in the group before trying the next server, enter the following command:
hostname(config-aaa-server-group)# max-failed-attempts number
The number can be between 1 and 5. The default is 3.
Also, the default timed out for a server is 5 seconds so if the first server in the group is not responding the ASA will take 5 seconds * 3 attempts = 15 seconds before it tries second server in the group.
If all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried that could be LOCAL database as well. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.
If you do not have a fallback method, the security appliance continues to retry the servers in the group.
c.] If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:
hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}
Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
Hope this helps.
Regards,
Jatin
Do rate helpful posts-
11-22-2011 06:38 PM
Hi sir,
I truly appreciate it , It help me solve the problem.
I have another two questions:
If the first ACS server failed for a long time.and ASA need to attempt every time by sent request and it may cost 30s which seems to be a waste of time.
1/Is there any mechanism that ASA skip the failure device and attempt second device first?
2/If the former failure device turn to normal , Is there any mechanism that ASA will switchover to sent request to this ACS server first?
Best regards,
Zhongyu Huang
11-23-2011 01:39 AM
hostname(config-aaa-server-group)# reactivation-mode timed
When you use this command in addition to your aaa command so in case your PRIMARY radius server goes down and ASA switch over to SECONDARY radius server. The timed keyword will help checking the status of PRIMARY server after every 30 seconds and that would not be transparent to end user.
Regards,
Jatin
-Do rate helpful request.
11-23-2011 06:48 PM
Hi sir ,
Is very kind of you , think you so much again!
Best regards,
Zhongyu Huang
From: jkatyal
Date: 2011-11-23 17:39
To: Zhongyu Huang
Subject: - Re: Two ACS Server failover
Home
Re: Two ACS Server failover
created by jkatyal in AAA, Identity and NAC - View the full discussion
hostname(config-aaa-server-group)# reactivation-mode timed
When you use this command in addition to your aaa command so in case your PRIMARY radius server goes down and ASA switch over to SECONDARY radius server. The timed keyword will help checking the status of PRIMARY server after every 30 seconds and that would not be transparent to end user.
Regards,
Jatin
-Do rate helpful request.
Reply to this message by going to Home
Start a new discussion in AAA, Identity and NAC at Home
05-08-2013 03:17 AM
Little bit more explanation for you.
https://supportforums.cisco.com/message/3931298#3931298
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide