Understanding the ACS Server Deployment
This chapter provides an overview of possible ACS server deployments and their components.
This chapter contains:
•Understanding the ACS Server Setup
This section describes three deployment scenarios in which ACS might be used:
•Small ACS Deployment
•Medium ACS Deployment
•Large ACS Deployment
Small ACS Deployment
The most basic ACS deployment consists of two servers; see Figure 1-1. One is the primary server that provides all of the configuration, authentication, and policy requirements for the network. The second server is used as a backup server in the event of a connectivity loss between the AAA clients and the primary server. You use replication from the primary ACS server to the secondary server to keep the secondary server in synchronization with the primary server.
In a small network, this configuration provides the advantage of configuring the primary and secondary RADIUS servers on all AAA clients the same way.
Figure 1-1 Small ACS Deployment
As the number of users and AAA clients increases in an organization, Cisco recommends changing the deployment ACS from the basic design and using split ACS deployment design; see Figure 1-2.
Split ACS Deployment
In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers in the event of a AAA connectivity problem, but during normal operations neither server carries the full load of authentication requests. This property of the servers allows for less stress on each ACS system, provides better loading, and makes you aware of the functional status of the secondary server through normal operations.
Another advantage of this arrangement is that each server can be used for specific operations, such as device administration and network admission, but can still be used to perform all the AAA functions in the event of a failure. With two ACS systems now processing authentication requests and collecting accounting data from AAA clients, Cisco recommends using one of the systems as a log collector. Figure 1-2 shows the secondary ACS server as the log collector.
Figure 1-2 Split ACS Deployment
Another advantage of this design is that it also allows for growth as shown in Figure 1-3.
Medium ACS Deployment
As the local network grows, you need to add more ACS servers to the system. In this scenario, you should consider promoting the primary server to perform configuration services, and using the secondary servers for AAA functions. When the amount of log traffic increases, you should either use the primary server as a centralized log collector or dedicate one ACS server as a log collector.
Figure 1-3 Medium ACS Deployment
Large ACS Deployment
In a large ACS deployment, as shown in Figure 1-4, centralized logging is highly recommended. Cisco recommends a dedicated logging server (Monitoring and Report server) due to the potentially high syslog traffic that a busy network can generate. Because ACS generates syslog messages for outbound log traffic, any RFC-3164-compliant syslog server will work to collect outbound logging traffic. This type of server enables you to use the reports and alerting features available in ACS for all ACS servers. This requires special licensing, which is discussed in Installing the ACS Server, page 5-2. You should also consider having the servers send logs to both a Monitoring and Report server and a generic syslog server. The addition of the generic syslog server provides backup in the event of a loss of the Monitoring and Report server.
Use a load balancer in a large, centralized network. See Figure 1-4. This simplifies the deployment of AAA clients, in which you require only a single entry for the AAA servers. The load balancer optimizes the routing of AAA requests to the available servers. A single load balancer becomes a single point of failure; therefore, you need to deploy two load balancers for redundancy. This requires you to configure two AAA server entries in each AAA client and this configuration will be consistent throughout the network.
Figure 1-4 Large ACS Deployment
Dispersed ACS Deployment
A dispersed ACS deployment is useful for organizations that have campuses located throughout the world. There may be a home campus where the primary network resides, but there may be additional LANs, sized from small to large, in campuses in different regions. To optimize AAA performance, each of these remote campuses should have its own AAA infrastructure. See Figure 1-5. The centralized management model should still be used to maintain a consistent, synchronized AAA policy. A centralized-configuration, primary ACS server and separate Monitoring and Report server should still be used. However, each of the remote campuses will have unique requirements.
Figure 1-5 Dispersed ACS Deployment
Some of the factors to consider when planning a network with remote sites are:
•Check if there is a central or external database (AD or LDAP) in use. For the purposes of optimization, each remote site should have a synchronized instance of the external database available for ACS to access.
•The location of the AAA clients is also a major consideration. You should place your ACS servers as close as possible to the AAA clients to reduce the effects of network latency and the possibility of loss of access due to WAN failure.
•ACS has console access for some functions, such as backup. Consider using a terminal at each site. This allows for secure console access outside of network access to each server.
•If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, you may consider using an ACS server in a nearby site as a backup server for the local site for redundant configuration.
•DNS should be properly configured on all ACS nodes to ensure access to the external databases.
Understanding the ACS Server Setup
This section briefly describes the roles of various ACS servers and how to configure them. For more information on assigning a role to a server and configuring it, see the User Guide for the Cisco Secure Access Control System 5.1.
This section contains:
Note The installation procedure is similar for any ACS server. See Chapter 5, "Installing and Configuring the Cisco Secure Access Control System with CSACS-1121." for installing ACS with the CSACS-1121 appliance or Chapter 6, "Installing ACS in a VMware Virtual Machine" for installing ACS with VMware ESX. In an ACS deployment, ensure that you first install a primary server.
In an ACS deployment, only one instance serves as an ACS primary, which provides the configuration capabilities and serves as the source for replication.
On an ACS primary server, you can set up all the system configurations required for an ACS deployment except that you configure licenses and local certificates individually for each ACS secondary server.
Except the primary server, all the other instances function as a secondary server.
A secondary ACS server receives all the system configurations from the primary server except that you need to configure the following on each secondary server:
•License—Install a unique base license for each of the ACS secondary servers in the deployment.
•New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server.
•Logging server—You can configure either the primary server or the secondary server to be the logging server for ACS. Cisco recommends that you configure a secondary ACS server as the logging server.
The secondary server must be activated to join the ACS environment. The administrator can either activate a secondary server or set up the automatic activation. By default, the activation is set to automatic.
Once the secondary server is activated, it starts receiving the full synchronization of the configuration and replication updates from the primary server.
Either a primary server or one of the secondary servers can function as a logging server.
The logging server receives the logs from the primary server and all the ACS secondary servers in the deployment. Cisco recommends that you allocate one of the ACS secondary servers as the Monitoring and Report server and exclude this particular secondary server from the AAA activities.
The three main logging categories are Audit, Accounting, and Diagnostics.
For more details on logging categories and configuration, see the User Guide for the Cisco Secure Access Control System 5.1.