GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: windows ACS v4.1 High Availability [7:131675] posted 06/26/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I guess you are not using this to authenticate user workstations then in
a dot1x/radius scenario. Sounds like you are going to do a primary
authentication on your ACS, then doing a secondary with RSA. This is
similar to what we do for access to our network devices. If this is the
case the main ACS server will have everyone's password and as long as
the secondary ACS is setup as a replication partner and set to receive
user and group database will have an exact copy of the primary. You
could setup replication to be scheduled also, but as long as the user
database is fairly stable and doesn't change much, a simple replication
push from the primary when you make a change should do the trick.

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Mr.Cipher
Sent: Thursday, June 26, 2008 3:52 AM
To: cisco@xxxxxxxxxxxxxx
Subject: Re: windows ACS v4.1 High Availability [7:131675]

Hello Michael,

actually the setup is a little complicated, I have more than 500 users,
ACS
integrated with Secure ID (RSA) for strong authentication.

frankly speaking i don't understand how two ACS's will have a typical
database, in case primary failed secondary will take over, what is the
mechanism of replicate DB on dynamic way !!! how to deploy it !!

appreciate ur understanding....




On Thu, Jun 26, 2008 at 3:27 AM, Michael Witte 
wrote:

>  There is no primary/secondary. There are replication partners between
> ACS servers which can be send only, receive only, or send and receive.
I
> would recommend setting one ACS server as primary and set it to send
> only. Any other ACS server would be set to receive only. In your
router
> configs list the primary first. ACS is more than powerful enough to do
> many authentications at once. What is the size of the users you want
to
> authenticate via radius and TACACS?
>
>
> aaa group server radius RadiusServers
> server 10.1.1.1 auth-port 1812 acct-port 1813
> server 10.1.1.2 auth-port 1812 acct-port 1813
> exit
>
> aaa group server tacacs+ TACACSServers
> server 10.1.1.1
> server 10.1.1.2
> exit
>
>
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
Of
> Mr.Cipher
> Sent: Wednesday, June 25, 2008 4:34 PM
> To: cisco@xxxxxxxxxxxxxx
> Subject: Re: windows ACS v4.1 High Availability [7:131675]
>
> Hi Michael,
>
> this is great, could u plz provide me more technical details how to
> configure ACS on primary/secondary mode, if u have any helpfull
document
> will be perfect.
>
> I'm confused and don't know from where to start !!!!
> thx in advanced..
> On Wed, Jun 25, 2008 at 11:24 PM, Michael Witte
> wrote:
>
> > This is what we have
> > 1) 1 primary ACS 4.1 server. This server has all TACAAS and wired
> radius
> > (802.1x) accounts on it. This is needed since we do dynamic vlans so
> the
> > users have to be consistent across all ACS servers. This server
> > replicates to all others. When you replicate, you wipe out whatever
is
> > being replicated to so it must be a one way only (Users groups,
> network
> > devices get replaced).
> > 2) 5 other ACs servers that are replication partners. These are
setup
> to
> > RECEIVE only.
> > 3) All network devices use the primary TACAAS server with one of the
5
> > others as a backup
> > 4) All switches that need to use wired 802.1x use the primary. This
is
> > necessary because if a new user is dynamically learned through dot1x
> on
> > one of the secondary servers, they will be wiped out during a
> > replication. This is not too big a deal unless that user has dynamic
> > vlans
> > 5) All wireless 802.1x go to one of the secondary servers since we
> > cannot do dynamic vlans. Obviously everything has a backup server
> > configured for TACAAS and radius.
> >
> > This supports 1500 users with about 200 wireless users with no
> problems
> > and quite a few of them are across a 70ms WAN being authenticated.
> > Basically the secondary servers are not used that much really just
for
> > wireless and if the primary goes down.
> >
> > -----Original Message-----
> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> Of
> > Mr.Cipher
> > Sent: Wednesday, June 25, 2008 3:28 PM
> > To: cisco@xxxxxxxxxxxxxx
> > Subject: windows ACS v4.1 High Availability [7:131675]
> >
> > Hello Guys,
> >
> > I have 2 windows ACS's run v 4.1, I'm willing to configure
redundancy
> > between them, active/standby mode.
> >
> > have any body here did the same before !! plz share with me the
> required
> > steps to get it work..
> >
> > appreciate any helpful comments..
> >
> > Regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=131694&t=131675
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html