Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS 5.x Secondary instance authentication with RSA replica.. process?

Hey all..

I currently have an ACS 5.x (5.2) install at 2 sites that is working properly for the most part.

What I think I want to do, is have my primary ACS and RSA servers at one site, and the replicas at a 2nd site.  This is currently setup and working.  The ACS instances look like they're replicating properly, as well as the RSA instances.

My question, is how does ACS handle failovers?  If I lose connectivity from Site 1 to Site 2, how will ACS/RSA work locally for authentications at Site 2?

I would think that a device should be able to hit the ACS server locally (this would be the secondary instance), and the ACS server would then contact the RSA server to authenticate the user.  But because the configured RSA server is at Site 1, it won't be able to.  So I add a second RSA server under RSA Servers, then add that to the Identity store sequence, therefore, ACS will try to contact the Primary RSA first, fail, then try the 2nd RSA server?

I'm not sure if I'm being clear or not..   if not, please ask some questions and I'll try to be specific as possible.

I guess my main problem is understanding how this failover will work.

ACS 5.2

RSA 7.x


Rising star

Re: ACS 5.x Secondary instance authentication with RSA replica..

You can only add one "instance" of a RSA but this constutes an RSA realm. The RSA realm can consist of muliple RSA servers. Each ACS instance includes an RSA agent instance which can contact multiple servers in the RSA realm, maintains status of each of the servers it is connecting to and can take configuration files that define load balancing configuration

In this situation, all the RSA related configuration forload balancing/redundancy is performed on the RSA servers and upload to the ACS servers. I am not familiar with the details with the specific details of the RSA related configuration but can provide a reference: