Two standalone ACS for TACacs authentication

Dear All,
I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
I am planing to configure the acs (a,b) boxes in the standalone mode .
and i want to configure both the acs as the TACACS server in all my routers
with ACS A as the primary in some routers and ACS B as the primary in some routers.
and there is no configuration sync between the ACS boxes.
Does this setup will have any issue in authentication in case if any of the acs fails ....
thanks in advance ...
Selva

There will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.

Similar Messages

  • Synchronizing DB/Config between two standalone ACS, v5.4

    Hello.
    I'm in process of migrating a clients' ACS from 4.2 to 5.4. With 4.2, they have it set up so that two standalone ACS servers (one in US, one in UK) will replicate database and configuration information. They are not configured as a primary/secondary setup.
    For instance, any devices in the  Data Center in UK will reference the UK ACS server first, US second. In the US, it is the opposite. Any configuration changes are generally made on the US side which then replicates to the UK side.
    Is this situation possible in 5.4? I want to avoid users in the UK having to authenticate to the US server and vice-versa unless their local ACS is down.
    Hopefully that makes sense. If it doesn't, let me know.

    I'm looking for a method to replicate the content of a database from one standalone ACS to another. I am not looking for a failover solution.
    The difference is that I want UK people to authenticate to the UK server first, and I want US people to authenticate to the US server first.
    Does that make sense, or am I just not understanding something?

  • Problem setting 7606 router for TACACS+ authentication

    Hello Support Community,
    I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
    I use the two servers to authenticate many other Cisco devices in the network they are working fine.
    I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
    The server key is hidden but at the time of configuration, I can ascertain that it's correct.
    The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
    Please study the outputs below and help point out what I may need to change.
    PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
    http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
    Please help I'm stuck.
    ROUTER#sh running-config | sec aaa
    aaa new-model
    aaa group server tacacs+ admin
    server name admin
    server name admin1
    ip vrf forwarding OAM
    ip tacacs source-interface GigabitEthernet1
    aaa authentication login admin group tacacs+ local enable
    aaa session-id common
    ROUTER#sh running-config | sec tacacs
    aaa group server tacacs+ admin
    server name admin
    server name admin1
    ip vrf forwarding OAM
    ip tacacs source-interface GigabitEthernet1
    aaa authentication login admin group tacacs+ local enable
    tacacs server admin
    address ipv4 1.1.1.1
    key 7 XXXXXXXXXXXXXXXXXXXX
    tacacs server admin1
    address ipv4 2.2.2.2
    key 7 XXXXXXXXXXXXXXXXxxxx
    line vty 0 4
    login authentication admin
    ROUTER#sh tacacs
    Tacacs+ Server -  public  :
                   Server name: admin
                Server address: 1.1.1.1
                   Server port: 49
                  Socket opens:         15
                 Socket closes:         15
                 Socket aborts:          0
                 Socket errors:          0
               Socket Timeouts:          0
       Failed Connect Attempts:          0
            Total Packets Sent:          0
            Total Packets Recv:          0
    Tacacs+ Server -  public  :
                   Server name: admin1
                Server address: 2.2.2.2
                   Server port: 49
                  Socket opens:         15
                 Socket closes:         15
                 Socket aborts:          0
                 Socket errors:          0
               Socket Timeouts:          0
       Failed Connect Attempts:          0
            Total Packets Sent:          0
            Total Packets Recv:          0
    Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f 
    Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
    Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
    Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
    Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
    Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
    Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
    Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
    Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
    Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
    Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
    ROUTER#sh ver
    Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Fri 30-Mar-12 08:34 by prod_rel_team
    ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
    BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
    ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
    Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
    System returned to ROM by reload (SP by reload)
    System restarted at 20:00:59 UTC Wed Aug 28 2013
    System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
    Last reload type: Normal Reload
    Last reload reason: power-on
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
    Processor board ID FOX1623G61B
    BASEBOARD: RSP720
    CPU: MPC8548_E, Version: 2.1, (0x80390021)
    CORE: E500, Version: 2.2, (0x80210022)
    CPU:1200MHz, CCB:400MHz, DDR:200MHz,
    L1:    D-cache 32 kB enabled
            I-cache 32 kB enabled
    Last reset from power-on
    3 Virtual Ethernet interfaces
    76 Gigabit Ethernet interfaces
    8 Ten Gigabit Ethernet interfaces
    3964K bytes of non-volatile configuration memory.
    500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
    Configuration register is 0x2102

    In order to resolve this issue. Please replace the below listed command
    aaa authentication login admin group tacacs+ local enable
    with;
    aaa authentication login default group admin local enable
    You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
    Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ACS for Unix authentication

    My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
    Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
    Any help will be appreciated.
    Manny

    Hi,
    Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
    Hope that helps out your query !!
    http://www.ibm.com/developerworks/library/l-radius/
    Regards
    Ganesh.H

  • ACS for Device authentication

    Hello
    I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication.
    I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as MAC address and ID)?
    If I can do the latter how do you set that up on an ACS?
    Thanks in advance
    Paul

    So my answer is correct ...
    ACS is an authentication server. It can authenticate devices.
    NAC Profiler, that is now replaced with ISE Profiling Engine, analyzes real-time the behavior of devices to identify them. ACS will use that as a device database.
    If using ISE, you only need ISE, it profiles and authenticates as well (it combines ACS+Profiler+other services).
    What you seem to be uncomfortable with is the way the Profiling works, I would suggest you to read Profiler or ISE documentation to know more about it.
    It identifies a device through his behavior. Then it authorizes the mac address. You are forced to trust on a mac address basis because the system is made for non-802.1x devices so you can't "talk" to the device or assign it any ID or whatever.
    However, it's not a static list of mac address. The mac address is allowed only if it's online and it corresponds to an allowed type of device.
    It can for example differentiate a phone, from an XBOX, from a laptop by looking at the fields of the DHCP request of the device, etc ... it can also do polling on the switch to check for CDP information etc ...

  • Using ACS for Cisco Prime authentication

    I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
    Any pointers?

    The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
    Administration > AAA > TACACS+ Servers > add tacacs server.
    Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
    The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
    "Configuring ACS 4.x"
    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
    https://supportforums.cisco.com/docs/DOC-17909
    In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
    Jatin Katyal
    - Do rate helpful posts -

  • Confgiure router to use particular interface IP add.for TACACS+ authenticat

    How to confgiure router to use particular interface's IP address for all comunications with ACS server for TACACS+ authentication.
    Thanks a lot...

    Use the command:
    ip tacacs source-interface

  • Tacacs authentication fails for one user account for only one switch

    Hi,
    I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
    The same user account works well for other devices.
    The AAA configs are same on every devices in the network.
    Heres the show tacacs output from the switch where only one user account fails;
                  Socket opens:        157
                 Socket closes:        156
                 Socket aborts:        303
                 Socket errors:          1
               Socket Timeouts:          2
       Failed Connect Attempts:          0
            Total Packets Sent:       1703
            Total Packets Recv:       1243
              Expected Replies:          0
    What could be the reason ?
    No errors on ACS server; same rights had been given to the user account.
    Thanks to advise.
    Prasey

    Hi there,
    Does the user get authenticated in the ACS logs?
    reports and activity----> failed attempts
    ro
    reports and activity----->  passed authentications
    That will help narrow it down.
    Brad

  • TACACS+ Authentication For Cisco NAM

    Hi All,
    I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
    For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
    Please advise.
    Thks and Rgds

    Steven
    I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
    If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
    HTH
    Rick

  • Configure Nexus 7k for TACACS in Cisco ACS

    Hi,
    Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
    Directory.
    Please advise if the below config are acceptable:
    feature tacacs+
    tacacs-server key KEY
    tacacs-server timeout 20
    tacacs-server host 1.1.1.1 key KEY
    aaa group server tacacs+ TEST
        server 1.1.1.1
        use-vrf management
        source-interface mgmt0
    tacacs-server directed-request
    aaa authentication login default group TEST
    aaa authentication login console none
    aaa authorization commands default group TEST
    aaa accounting default group TEST
    aaa authentication login error-enable

    Hi,
    What OS version are u using on your servers?
    Craig

  • Authentication providers for TACACS+ and RADIUS

    Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
    RADIUS?
    Ben

    So in the ACS network config you add 2 NASes (or should that be NASi?)
    One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
    Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
    RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
    With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
    Suggest you first take time to scan through the ACS docs.

  • ACS SE setup for windows authentication

    Dear All,
    I'm trying to install an ACS Solution Engine in My network for access control (AAA). I succeed in setting up authentication using the internal database and that works fine. Now My boss want users to be authenticated through an external database (windows AD). I tried achieving this but kept getting different errors.(like EAP-TLS or PEAP authentication failed during SSL handshake) or (Authen session timed out: Challenge not provided by client).
    Please I need someone who has done this setup successfully before to give Me a step by step procedure on how I can setup ACS SE for windows authentication using My domain windows authentication.
    Thanks

    Dear All,I'm
    trying to install an ACS Solution Engine in My network for access
    control (AAA). I succeed in setting up authentication using the
    internal database and that works fine. Now My boss want users to be
    authenticated through an external database (windows AD). I tried
    achieving this but kept getting different errors.(like EAP-TLS or PEAP
    authentication failed during SSL handshake) or (Authen session timed
    out: Challenge not provided by client).Please
    I need someone who has done this setup successfully before to give Me a
    step by step procedure on how I can setup ACS SE for windows
    authentication using My domain windows authentication.Thanks
    Hi,
    Check out the belwo link on your query,Hope that help !!
    https://supportforums.cisco.com/docs/DOC-5542
    If helpful do rate
    Ganesh.H

  • How to add a switch to acs for login and ads authentication

    Hi all
    I want to add my switch so that it authenticates to my acs for login auth, I have done the switch end, using radius, also added the switch on the acs, how do I force the acs to use windows auth for this login?  do i just go under the network config where the device is and tick the box saying use windows database for authentication, and then do a group mapping ?
    cheers

    Hi,
    Easiest way is to download the table eg into an Excel table (if possible) or text table. Drop the table from the database. Build your table with the new key field. Build the database table again and fill it.
    You can do it also over the database into a new table. Drop the old one. Build the enhanced one and fill it. Afterwards drop your (temporary) table.
    Maybe there are other ways, but this works.
    Success,
    Rob

  • Software to test RADIUS/TACACS authentication to ACS server

    Hi experts,
    Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
    Thanks in advance!

    If you look in the ACS utils folder you'll see radtest and tactest.exe
    These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
    I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
    Darran

  • ACS 5.1 Authentication against AD problem

    I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
    ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
    I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
    The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
    show logging application acs reveals the following:
    ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
    ying to reconnect.,ActiveDirectoryClient.cpp:2429
    ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
    led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
    ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
    password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
    I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
    Any ideas on what might be the cause, and how I can fix this?
    Thanks!

    Hello,
    It is complicated to explain this rule but hopelly you will understand.
    I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
    Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
    To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
    Regards,
    Sebastian Aguirre

Maybe you are looking for

  • Error only in PDF report generation not HTML

    The same report exports fine in HTML. This only happens when exporting a PDF report: com.crystaldecisions.sdk.occa.report.lib.ReportSDKException: 26---- Error code:-2147467259 Error code name:failed The application was developed by our developer team

  • Changing a linechart background color upon a chartitem selection

    hello guys, I am displaying multiple lines vertically in a linechart. User can make a rectangular selection on chartitems. I want to change the linechart background color of the selected region only. So if user selects multiple region then I will be

  • Can I connect my iPad to epson emp-x3 projector?

    I have a keynote presentation on my iPad and an Epson Emp-X3 LCD projector.  How do I connect the two to show the presentation?

  • Transitions between split clips don't work properly

    If I split a clip in the project area, then put a transition between the two new clips, the transition doesn't work properly. It is most obvious with the Cross Dissolve, which doesn't work at all. Some of the others sort of look like they are working

  • Ynab for mac?

    what is the latest on financial software for Mac 10.8? how does 'you need a budget' stand up? Deb