RE: ACS: Submit vs Submit & Restart

From: Tim (ccie2be@nyc.rr.com)
Date: Tue Nov 21 2006 - 18:09:21 ART

• Next message: Michael Zuo: "RE: ospf virtual-link"
• Previous message: Michael Zuo: "RE: need help with manually specifying RP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Nick,

Thanks for your reply.

What you say about submit & restart is true but I knew that part. What I
was hoping to find out was the "under the hood" part. IOW, the why behind
sometimes submit is sufficient while at other times submit & restart is
required. I suspect it has to do with the database and its proper operation
but that's just a guess.

Regarding the single-connection: That's a completely different issue.
That's for the situation where there are, for example, multiple users that
need to be authenticated. If you config single-connection, then the AAA
client will use ONE TCP connection to the AAA server for all the users
instead of an individual TCP connection for each user.

That has nothing to do with the issue of configuring Authentication on one
ACS and Authorization on a different ACS server.

Thanks again, Tim

  _____

From: Nick Garner [mailto:nwgarner@gmail.com]
Sent: Tuesday, November 21, 2006 1:44 PM
To: Tim
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: ACS: Submit vs Submit & Restart

Tim,
Usually, if the submit&restart option is available it is required for the
changes you have made to take effect. Usually meaning always... I have
never hit submit when submit&restart is available and not seen this message:

The current configuration has been changed. Restart ACS in "System
Configuration:Service Control" to adopt the new settings.

As for your other question, regarding multiple servers. I've always used
the single-connection option when defining a tacacs-server on the IOS
device.

from cisco.com :
  <http://www.cisco.com/univercd/illus/images/blank.gif> Use the
single-connection keyword to specify single-connection (only valid with
CiscoSecure Release 1.0.1 or later). Rather than have the router open and
close a TCP connection to the daemon each time it must communicate, the
single-connection option maintains a single open connection between the
router and the daemon. This is more efficient because it allows the daemon
to handle a higher number of TACACS operations.

I haven't tested multiple servers without it. I probably should though...
I'll have to check but I believe if a device is able to reach an ACS server
it will continue to use that server for subsequent requests. It isn't a
load balancing type of situation where it will use the first one server
listed then use the next server when it needs to make another request.

Nick

On 11/21/06, Tim <ccie2be@nyc.rr.com> wrote:

Hi guys,

In ACS, after entering data, it's sometimes necessary to click, Submit &
Restart but sometimes, it's not. Why is that?

When the Submit & Restart button is clicked, what's actually Restarting?

Thanks, Tim

• Next message: Michael Zuo: "RE: ospf virtual-link"
• Previous message: Michael Zuo: "RE: need help with manually specifying RP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART