RE: windows ACS v4.1 High Availability [7:131675] posted 06/26/2008
- Subject: RE: windows ACS v4.1 High Availability [7:131675]
- From: "Michael Witte" <mwitte@xxxxxxxxxxxxxxx>
- Date: Thu, 26 Jun 2008 09:31:01 -0400
I guess you are not using this to authenticate user workstations then in
a dot1x/radius scenario. Sounds like you are going to do a primary
authentication on your ACS, then doing a secondary with RSA. This is
similar to what we do for access to our network devices. If this is the
case the main ACS server will have everyone's password and as long as
the secondary ACS is setup as a replication partner and set to receive
user and group database will have an exact copy of the primary. You
could setup replication to be scheduled also, but as long as the user
database is fairly stable and doesn't change much, a simple replication
push from the primary when you make a change should do the trick.
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Sent: Thursday, June 26, 2008 3:52 AM
Subject: Re: windows ACS v4.1 High Availability [7:131675]
actually the setup is a little complicated, I have more than 500 users,
integrated with Secure ID (RSA) for strong authentication.
frankly speaking i don't understand how two ACS's will have a typical
database, in case primary failed secondary will take over, what is the
mechanism of replicate DB on dynamic way !!! how to deploy it !!
appreciate ur understanding....
On Thu, Jun 26, 2008 at 3:27 AM, Michael Witte
> There is no primary/secondary. There are replication partners between
> ACS servers which can be send only, receive only, or send and receive.
> would recommend setting one ACS server as primary and set it to send
> only. Any other ACS server would be set to receive only. In your
> configs list the primary first. ACS is more than powerful enough to do
> many authentications at once. What is the size of the users you want
> authenticate via radius and TACACS?
> aaa group server radius RadiusServers
> server 10.1.1.1 auth-port 1812 acct-port 1813
> server 10.1.1.2 auth-port 1812 acct-port 1813
> aaa group server tacacs+ TACACSServers
> server 10.1.1.1
> server 10.1.1.2
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> Sent: Wednesday, June 25, 2008 4:34 PM
> To: cisco@xxxxxxxxxxxxxx
> Subject: Re: windows ACS v4.1 High Availability [7:131675]
> Hi Michael,
> this is great, could u plz provide me more technical details how to
> configure ACS on primary/secondary mode, if u have any helpfull
> will be perfect.
> I'm confused and don't know from where to start !!!!
> thx in advanced..
> On Wed, Jun 25, 2008 at 11:24 PM, Michael Witte
> > This is what we have
> > 1) 1 primary ACS 4.1 server. This server has all TACAAS and wired
> > (802.1x) accounts on it. This is needed since we do dynamic vlans so
> > users have to be consistent across all ACS servers. This server
> > replicates to all others. When you replicate, you wipe out whatever
> > being replicated to so it must be a one way only (Users groups,
> > devices get replaced).
> > 2) 5 other ACs servers that are replication partners. These are
> > RECEIVE only.
> > 3) All network devices use the primary TACAAS server with one of the
> > others as a backup
> > 4) All switches that need to use wired 802.1x use the primary. This
> > necessary because if a new user is dynamically learned through dot1x
> > one of the secondary servers, they will be wiped out during a
> > replication. This is not too big a deal unless that user has dynamic
> > vlans
> > 5) All wireless 802.1x go to one of the secondary servers since we
> > cannot do dynamic vlans. Obviously everything has a backup server
> > configured for TACAAS and radius.
> > This supports 1500 users with about 200 wireless users with no
> > and quite a few of them are across a 70ms WAN being authenticated.
> > Basically the secondary servers are not used that much really just
> > wireless and if the primary goes down.
> > -----Original Message-----
> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> > Mr.Cipher
> > Sent: Wednesday, June 25, 2008 3:28 PM
> > To: cisco@xxxxxxxxxxxxxx
> > Subject: windows ACS v4.1 High Availability [7:131675]
> > Hello Guys,
> > I have 2 windows ACS's run v 4.1, I'm willing to configure
> > between them, active/standby mode.
> > have any body here did the same before !! plz share with me the
> > steps to get it work..
> > appreciate any helpful comments..
> > Regards,
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html