Published On: August 6ᵗʰ, 2019 02:07
Installation and Upgrade Guide for Cisco Secure Access Control System 5.4
Understanding the ACS Server Deployment
The most basic ACS deployment consists of two servers; see Figure 1-1. One is the primary server that provides all of the configuration, authentication, and policy requirements for the network.
The second server is used as a backup server if the connectivity is lost between the AAA clients and the primary server. You use replication from the primary ACS server to the secondary server to keep the secondary server in synchronization with the primary server.
As the number of users and AAA clients increases in an organization, Cisco recommends changing the deployment ACS from the basic design and using split ACS deployment design; see Figure 1-2.
In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers if there is a AAA connectivity problem, but during normal operations, neither server carries the full load of authentication requests.
Another advantage of this arrangement is that each server can be used for specific operations, such as device administration and network admission, but can still be used to perform all the AAA functions in the event of a failure.
With two ACS systems now processing authentication requests and collecting accounting data from AAA clients, Cisco recommends using one of the systems as a log collector. Figure 1-2 shows the secondary ACS server as the log collector.
Another advantage of this design is that it also allows for growth as shown in Figure 1-3.
As the local network grows, you need to add more ACS servers to the system. In this scenario, you should consider promoting the primary server to perform configuration services, and using the secondary servers for AAA functions. When the amount of log traffic increases, you should use one of the secondary server as a centralized dedicated log collector server. Medium ACS deployment consists of thirteen servers.
In a large ACS deployment, as shown in Figure 1-4, centralized logging is highly recommended. A large ACS deployment consists of 21 servers. Cisco recommends a dedicated logging server (Monitoring and Report server) because of the potentially high syslog traffic that a busy network can generate. Because ACS generates syslog messages for outbound log traffic, any RFC-3164-compliant syslog server will work to collect outbound logging traffic.
This type of server enables you to use the reports and alerting features that are available in ACS for all ACS servers. This requires special licensing, which is discussed in the User Guide for Cisco Secure Access Control System 5.4. See Installing the ACS Server for more information on installing the ACS server.
You should also consider having the servers send logs to both a Monitoring and Report server and a generic syslog server. The addition of the generic syslog server provides a backup if the Monitoring and Report server is lost.
A dispersed ACS deployment is useful for organizations that have campuses located throughout the world. There may be a home campus where the primary network resides, but there may be additional LANs, sized from small to large, in campuses in different regions.
To optimize AAA performance, each of these remote campuses should have its own AAA infrastructure. See Figure 1-5. The centralized management model should still be used to maintain a consistent, synchronized AAA policy.
- Check whether there is a central or external database (Microsoft Active Directory [AD] or Lightweight Directory Access Protocol [LDAP]) in use. For the purposes of optimization, each remote site should have a synchronized instance of the external database available for ACS to access.
- The location of the AAA clients is also a major consideration. You should place your ACS servers as close as possible to the AAA clients to reduce the effects of network latency and the possibility of loss of access caused by WAN failure.
- ACS has console access for some functions, such as backup. Consider using a terminal at each site. This allows for secure console access outside of network access to each server.
- If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, you may consider using an ACS server in a nearby site as a backup server for the local site for redundant configuration.
- DNS should be properly configured on all ACS nodes to ensure access to the external databases.
This section briefly describes the roles of various ACS servers and how to configure them. For more information on assigning a role to a server and configuring it, see the User Guide for Cisco Secure Access Control System 5.4.
See Chapter5, “Installing and Configuring the Cisco Secure Access Control System with CSACS-1121” for installing ACS with the CSACS-1121 appliance, Chapter9, “Installing and Configuring Cisco Secure Access Control System with SNS-3415” for installing ACS with the SNS-3415 appliance, or Chapter 10, “Installing ACS in a VMware Virtual Machine” for installing ACS with VMware ESX. In an ACS deployment, ensure that you first install a primary server.
On an ACS primary server, you can set up all the system configurations that are required for an ACS deployment. However you must configure licenses and local certificates individually for each ACS secondary server.
- License—Install a unique base license for each of the ACS secondary servers in the deployment.
- New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server.
- Logging server—You can configure either the primary server or the secondary server to be the logging server for ACS. Cisco recommends that you configure a secondary ACS server as the logging server.
The secondary server must be activated to join the ACS environment. The administrator can either activate a secondary server or set up automatic activation. By default, the activation is set to Automatic.
The logging server receives the logs from the primary server and all the ACS secondary servers in the deployment. Cisco recommends that you allocate one of the ACS secondary servers as the Monitoring and Report server and exclude this particular secondary server from the AAA activities.