- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: ACS: Submit vs Submit & Restart posted 11/21/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Hey Nick,


Thanks for your reply.


What you say about submit & restart is true but I knew that part.  What I
was hoping to find out was the "under the hood" part. IOW, the why behind
sometimes submit is sufficient while at other times submit & restart is
required.  I suspect it has to do with the database and its proper operation
but that's just a guess.


Regarding the single-connection:  That's a completely different issue.
That's for the situation where there are, for example, multiple users that
need to be authenticated.  If you config single-connection, then the AAA
client will use ONE TCP connection to the AAA server for all the users
instead of  an individual TCP connection for each user.


That has nothing to do with the issue of configuring Authentication on one
ACS and Authorization on a different ACS server.


Thanks again, Tim



From: Nick Garner [mailto:nwgarner@xxxxxxxxx] 
Sent: Tuesday, November 21, 2006 1:44 PM
To: Tim
Cc: security@xxxxxxxxxxxxxx; ccielab@xxxxxxxxxxxxxx
Subject: Re: ACS: Submit vs Submit & Restart


Usually, if the submit&restart option is available it is required for the
changes you have made to take effect.  Usually meaning always... I have
never hit submit when submit&restart is available and not seen this message:

The current configuration has been changed.  Restart  ACS in "System
Configuration:Service Control" to adopt the new settings.

As for your other question, regarding multiple servers.  I've always used
the single-connection option when defining a tacacs-server on the IOS

from :
  <> Use the
single-connection keyword to specify single-connection (only valid with
CiscoSecure Release 1.0.1 or later). Rather than have the router open and
close a TCP connection to the daemon each time it must communicate, the
single-connection option maintains a single open connection between the
router and the daemon. This is more efficient because it allows the daemon
to handle a higher number of TACACS operations.

I haven't tested multiple servers without it.  I probably should though...
I'll have to check but I believe if a device is able to reach an ACS server
it will continue to use that server for subsequent requests.  It isn't a
load balancing type of situation where it will use the first one server
listed then use the next server when it needs to make another request. 


On 11/21/06, Tim <ccie2be@xxxxxxxxxx> wrote:

Hi guys, 

In ACS, after entering data, it's sometimes necessary to click, Submit &
Restart but sometimes, it's not.  Why is that?

When the Submit & Restart button is clicked, what's actually Restarting? 

Thanks, Tim