Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
0
Helpful
1
Replies

ACS 5.x Secondary instance authentication with RSA replica.. process?

davebornack
Level 1
Level 1

‎11-04-2010 10:38 AM - edited ‎03-10-2019 05:33 PM

Hey all..

I currently have an ACS 5.x (5.2) install at 2 sites that is working properly for the most part.

What I think I want to do, is have my primary ACS and RSA servers at one site, and the replicas at a 2nd site.  This is currently setup and working.  The ACS instances look like they're replicating properly, as well as the RSA instances.

My question, is how does ACS handle failovers?  If I lose connectivity from Site 1 to Site 2, how will ACS/RSA work locally for authentications at Site 2?

I would think that a device should be able to hit the ACS server locally (this would be the secondary instance), and the ACS server would then contact the RSA server to authenticate the user.  But because the configured RSA server is at Site 1, it won't be able to.  So I add a second RSA server under RSA Servers, then add that to the Identity store sequence, therefore, ACS will try to contact the Primary RSA first, fail, then try the 2nd RSA server?

I'm not sure if I'm being clear or not..   if not, please ask some questions and I'll try to be specific as possible.

I guess my main problem is understanding how this failover will work.

ACS 5.2

RSA 7.x

Thanks!

Labels:
0 Helpful
1 Reply 1

jrabinow
Level 7
Level 7

‎11-04-2010 02:18 PM

You can only add one "instance" of a RSA but this constutes an RSA realm. The RSA realm can consist of muliple RSA servers. Each ACS instance includes an RSA agent instance which can contact multiple servers in the RSA realm, maintains status of each of the servers it is connecting to and can take configuration files that define load balancing configuration

In this situation, all the RSA related configuration forload balancing/redundancy is performed on the RSA servers and upload to the ACS servers. I am not familiar with the details with the specific details of the RSA related configuration but can provide a reference:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1135081

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents