cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4587
Views
9
Helpful
7
Replies

ACS Primary and Secondary Scenario

sankarccie
Level 1
Level 1

ACS Primary and Secondary Scenario

We have ACS Primary and Secondary architecture in our Datacenter, I have gone through the user guide and implementation guide, few things are not clear to me,

  • •1.       If primary ACS failed or unreachable, whether the Secondary ACS authenticates the TACACS+ user or any manual interventions are required?
  • •2.        While the Primary ACS is down, Can we make any configuration changes in Secondary and will it replicate once the Primary come live??
  • •3.       When the failed Primary comes live, how the secondary(Active) ACS behave? Whether it automatically changes to secondary? Whether the AAA logs will replicate on the actual primary ACS?

Regards,

Sankar V

7 Replies 7

maldehne
Cisco Employee
Cisco Employee

A secondary ACS server receives all the system configurations from the primary server except that you need to configure the following on each secondary server:

•License—Install a unique base license for each of the ACS secondary servers in the deployment.

•New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server.

•Logging server—You can configure either the primary server or the secondary server to be the logging server for ACS. Cisco recommends that you configure a secondary ACS server as the logging server.

The secondary server must be activated to join the ACS environment. The administrator can either activate a secondary server or set up the automatic activation. By default, the activation is set to Automatic.

After the secondary server is activated, it starts receiving the full synchronization of the configuration and replication updates from the primary server.

Q1: when the primary is down , your AAA clients should be configured already to send the request to the secondary server upon no response from the primary.

Q2:You cannot do any configuration changes on secondary

Q3:it depends on your aaa clients how to behave in such situation , but normally they should send the request all the time to the primary , so once it is online back again it can reply and fail over to secondary wont happen.

---------------------------------------------------------------------

Please Make sure to rate corrrect answers

Hi,

I have project to deploy distributed ACSs (one is primary, and another is secondary). The ACS user guide isn't clear enough. I think the primary and secondary term just mean which ACS server will use to make config chance and sync the config to secondary servers. It is not completely like other device HA feature as we usually see. Cisco said that the Secondary ACS server used as backup server in case the connectivity loss between AAA client and the Primary ACS server.

For example, I have ACS-1 (the primary) and ACS-2 (secondary). 10 devices, I config ACS-1 as the primary radius server in first line of radius-server host command and ACS-2 as primary in next line in command. Other 10 devices have ACS-2 in first line and ACS-1 in second line. In normal operation, both ACSs can service in authentication process regardless which one is primary or secondary. That is spilit ACS deployment.

If you have purchased a ACS secondary license, you tie that to a primary ACS and you can't make config changes to the secondary, only to the primary.  Both can be used though for AAA.  Certificates is the only thing that isn't sync'd between the two, so make sure you have a certificate on the backup as well especially if you are doing 802.1x.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Hi,

Thanks to remind me about certificate, my customer also use certificate in 802.1x authentication process.

When making a backup with backup command, does the certificate also backup?

I plan the process like this:

     - Backup config/database of old ACS-1 server

     - Restore the backup of ACS-1 to the new ACS-2 (ver 5.3). Then I connect the new ACS-2 to network, unplug the old ACS-1.

     - Upgrade OS of ACS-1 from 5.1 to 5.3 (using upgrade bundle).

     - Change IP/name of the new ACS-2 server, and plug old ACS-1 server back into network.

     - Make ACS-1 to primary, ACS-2 to secondary. ACS-2 will be log collector, morniter and reporter.

     - Config AAA client to have radius server backup with the new IP of ACS-2

I think this process ensure me to have no down time to customer network. How do you think, Scott?

Thanks

  I cannot mark this discussion as answered question, I can?

The backup includes the ACS System Backup feature backs up the ACS user database that is relevant to ACS. The user database backup includes all user information, such as username, password, and other authentication information, including server certificates and the certificate trust list.

The question here is performing a restore of ACS 5.1 backup to ACS 5.3.  I can't tell you if that will work or not.  You should follow this document to be on the safe side... I guess it will not hurt you to do a backup and try to restore it on 5.3, but verify that everything is there and it has successfully restored before you take down the old ACS.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1199421

Thanks,


Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

hi Scott

can be used for AAA means , is something we need to configure in ACS or it will automatically load balance the AAA requests in distributed deployment model

The WLC doesn't load balance radius servers.  Which ever is the primary radius server, that's what the WLC will use unless the primary doesn't respond and then movers to the next.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: