Configuring a Distributed System

Previous page
Table of content
Next page

Distributed systems are networks that deploy multiple AAA servers. These AAA servers then perform authentication, authorization, and accounting to a primary device, backup device, or numerous devices that are peer systems. This is a way to enable a fallback in the event that one AAA server becomes unavailable. This increases network uptime by decreasing the possible downtime incurred by an unavailable AAA server.

With distributed systems in place, you can also control the user database locally and still authenticate that user, which accesses network services from remote locations, to that local database. This authentication can take place even though they authenticate through a remote AAA server that does not have that particular user account in it. This functionality is accomplished through the use of Proxy Distribution Tables and AAA servers in the Cisco Secure Access Control Server (CSACS) AAA servers table.

When the Distributed Systems Settings check box is selected, your interface (as seen in the HTML front end of CSACS) changes slightly. Figure 9-1 shows the view of the Network Configuration page prior to the Distributed System Settings being enabled in Interface Configuration.

Figure 9-1. Network Configuration Before Enabling Distributed System Settings


The configurations in this chapter are all enabled by the Distributed Systems Settings check box, the Remote Logging check box, and the Cisco Secure ACS Database Replication check box being selected. Regardless of whether Remote Logging and Cisco Secure ACS Database Replication are enabled, the default action that is implicit is to check the local ACS database for authentication. By checking this option, your existing configuration is not changed.

To enable this functionality, you must check the Distributed Systems Settings check box, under Advanced Options, as shown in Figure 9-2. Also in Figure 9-2, you can see that other options have been selected.

Figure 9-2. Enabling Distributed Systems


After the Distributed System Settings check box is checked, you see a table for AAA clients, a table for AAA servers, and a Proxy Distribution Table within the Network Configuration page. Note that the Proxy Distribution Table has the default entry of (Default). This is the function previously mentioned for checking the local database. This default function is always enabled to force ACS to check its local database for authentication. The fact is that it is simply not visible until Distributed System Settings has been selected. To add entries to any of these tables, simply select the Add Entry button seen at the bottom of each table. Figure 9-3 shows the new view of Network Configuration.

Figure 9-3. Network Configuration After Enabling Distributed System Settings


Other aspects of an AAA server that is in a distributed system are the ability to perform database replication and remote or central logging. You might notice a section labeled Proxy Distribution Table when you look at your Network Configuration page now. This is normal, and although there is an entry (Default), all AAA requests are still sent only to the local device. This is discussed later in this chapter.

As you scale your configuration and your network begins to grow, your AAA server table is going to grow as well. Also, your Proxy Distribution Table and your AAA clients table grow. After additional devices have been configured in the AAA server table, ACS can perform other features such as Relational Database Management System (RDBMS) synchronization and database replication, as well as remote logging to any of these other AAA servers that are defined. More of these features and the Proxy Distribution Table are discussed in the following sections of this chapter. RDBMS synchronization is discussed in Chapter 11, "System Configuration."

To help further understand the concept of a distributed system, examine Figure 9-4. It shows an ACS server deployed in California with local users, an AAA server deployed in Texas, and an AAA server deployed in New York. By creating a distributed system, you can enable a fallback in the event that one AAA server becomes available. Should an AAA server in California become available, users could authenticate, authorize, and be accounted for based on the server located in Texas or even New York. This configuration is simple on the AAA client device. Simply add the additional AAA servers with the correct AAA statement. For example, if you are using a PIX Firewall, you would simply add another AAA server statement, like so:

 aaa-server <tag> [<(if_name)>] host <ip_address> [<key>] [timeout <seconds>] aaa-server MYTACACS (outside) host 64.208.251.xx secretkey timeout 10

Figure 9-4. Distributed System


This distributed system increases network uptime and decreases downtime incurred by any unavailable AAA servers. With a distributed system in place, you can control the user database locally and, when users are out of town, still authenticate them to that same local database by using a Proxy Distribution Table configured on the remote ACS device that the user can authenticate through. If a user is in California and the ACS in California goes down, you could use replication functionality to authenticate the user to the ACS in Texas and so on. You could perform many different configurations.



Previous page
Table of content
Next page
Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173
Authors: Brandon James Carroll
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Interprocess Communications in Linux: The Nooks and Crannies
CISSP Exam Cram 2
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Junos Cookbook (Cookbooks (OReilly))
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy