Re: Making sure the backup server takes charge

lofsfaith · ‎11-11-2004

Hi,

Could someone please let me know a few things about a backup server using CiscoSecure ACS Release 3.2(3) Build 11. I have configured the primary server with the following commands "radius-server host 10.0.2.51 auth-port 1645 acct-port 1646 retransmit 2

radius-server host 10.0.2.13 auth-port 1645 acct-port 1646". My 1st question is if the primary goes down is this the correct setting for the secondary to take charge? 2nd question if the server goes down will the local account users go down also or will the secondary server keep them on? We are going to test but I wanted to make sure that the settings were correct for handing the authentication over. Thanks

mwall · ‎11-11-2004

My understanding is that the router tries the radius servers in the order they are listed in the config.

When you use AAA, you will get one of three replies for authentication

pass

fail

error

Pass and fail are the end of the road, if you get one of those two responses it won't try any other methods. If you get error, it will then roll over to the second radius server. If the second radius server errors out as well, and you have "local" setup as an option in your aaa authentication commands,

Something like,(aaa authentication ppp default radius local) then the router will try the local database.

Since I haven't set that up for at least a year, you might want to see watch this happen, use the following debugs when you stop the services on the aaa servers.

debug radius

debug aaa authentication

Good luck and let me know,

Mike

lofsfaith · ‎11-11-2004

Mike,

Thank you for your suggestion. Me and the other engineer will be trying this out hopefully within the next few days. (If I can slow him down) I'll be sure to keep you posted.

Thanks

lofsfaith