Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
3
Replies

ACS failover questions

Douglas Alexander
Level 1
Level 1

‎02-20-2018 08:51 AM - edited ‎02-21-2020 10:46 AM

The setup:

Two ACS's in a network, configured as primary/secondary on the devices, yet not set up as a distributed deployment, each ACS is pointed toward different DC's (Active Directory). When the Primary ACS loses it's connection to Active Directory the devices continue to try to Authenticate via the primary, because the ACS is still responsive, but cannot actually authenticate. When the primary ACS is turned off all the devices authenticate against the secondary just fine. Debugging confirms this.

 

Is there a way to configure the ACS to mark itself as "Dead" when it loses connection to Active Directory so the devices will fall back on the secondary? Will Distributed Deployment fix this?

Labels:
0 Helpful
3 Replies 3

Octavian Szolga
Level 4
Level 4

‎02-21-2018 10:28 AM

Hi,

What version of ACS are you running?

Usually, you're not supposed to have this issue.

The AD connector which is basically responsible for AD group membership retrieval and so on should notice that the current DC is not reachable anymore and it should contact a different DC.
The 'contact' part is a classical DNS query for a specific resource.

Usually, your DC is also your DNS server, so each ACS should have 2 DNS servers configured (with the required firewall permissions - DNS, LDAP, etc).

ACS1 would point to DC1 and DC2 (DNS) and ACS2 to DC2 and DC1. If DC1 becomes unavailable, DC2 will be the next DC to use, based on the DNS response.

 

(In order for ACS1 to use DC1 services, you would have to use MS Sites and Services and assign both servers to the same location)

 

Thanks,
Octavian

0 Helpful

Douglas Alexander
Level 1
Level 1
In response to Octavian Szolga

‎02-22-2018 09:27 AM

Thank you for your reply. The version of ACS is 5.7.

 

The thing about this setup is there is no secondary DC (I know, I know, but I didn't set this up). Each ACS is in a different location and pointing to a different DC, but only one DC. The second site is setup as more of a cold-standby rather than high-availability.

 

So my question is, given that the ACS is only pointing to one DC, if that DC goes down there is nothing stopping it from continuing responding to devices sending Authentication requests. The ACS is only aware of one DC and not aware of the other ACS. If I configured these two ACS as a distributed deployment would this make the Primary ACS fail over to the secondary if it loses connection to the DC?

 

Thanks

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to Douglas Alexander

‎02-23-2018 02:02 AM

Hi Douglas,

 

I don't think you can change this in any way. From ACS perspective, the local services are all online. It's just the backend DC who's down..

 

Making them part of the same ACS deployment won't help (or at least this is my opinion). This would help just for central policy configuration & logging, but that's all. The NAD will decide which ACS to use.

 

Still, I don't think you got my point. If you're using the same AD infrastructure, (different DC's that belong to the same AD infrastructure), why don't you add the DC1 IP (DNS) to ACS1 and DC2 IP (DNS) to ACS2?

If DC is down, ACS will use DNS to find out a second DC. If you don't have a secondary DNS IP, you have nobody to ask about a another DC for the same AD.

 

Thanks,
Octavian

0 Helpful
Customers Also Viewed These Support Documents