Filter
Top Products
Chapter 11 Working with User Databases
Generic LDAP
11-18
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
If the On Timeout Use Secondary check box is selected, and if the first LDAP
server that Cisco Secure ACS attempts to contact cannot be reached,
Cisco Secure ACS always attempts to contact the other LDAP server. The first
server Cisco Secure ACS attempts to contact may not always be the primary
LDAP server. Instead, the first LDAP server that Cisco Secure ACS attempts to
contact depends on the previous LDAP authentication attempt and on the value
specified in the Failback Retry Delay box.
Successful Previous Authentication with the Primary LDAP Server
If, on the previous LDAP authentication attempt, Cisco Secure ACS successfully
connected to the primary LDAP server, Cisco Secure ACS attempts to connect to
the primary LDAP server. If Cisco Secure ACS cannot connect to the primary
LDAP server, Cisco Secure ACS attempts to connect to the secondary LDAP
server.
If Cisco Secure ACS cannot connect with either LDAP server, Cisco Secure ACS
stops attempting LDAP authentication for the user. If the user is an unknown user,
Cisco Secure ACS tries the next external user database listed in the Unknown
User Policy list. For more information about the Unknown User Policy list, see
the “Unknown User Processing” section on page 12-1.
Unsuccessful Previous Authentication with the Primary LDAP Server
If, on the previous LDAP authentication attempt, Cisco Secure ACS could not
connect to the primary LDAP server, whether Cisco Secure ACS first attempts to
connect to the primary server or secondary LDAP server for the current
authentication attempt depends on the value in the Failback Retry Delay box. If
the Failback Retry Delay box is set to 0 (zero), Cisco Secure ACS always attempts
to connect to the primary LDAP server first. And if Cisco Secure ACS cannot
connect to the primary LDAP server, Cisco Secure ACS then attempts to connect
to the secondary LDAP server.
If the Failback Retry Delay box is set to a number other than zero,
Cisco Secure ACS determines how many minutes have passed since the last
authentication attempt using the primary LDAP server occurred. If more minutes
have passed than the value specified in the Failback Retry Delay box,
Cisco Secure ACS attempts to connect to the primary LDAP server first. And if
Cisco Secure ACS cannot connect to the primary LDAP server,
Cisco Secure ACS then attempts to connect to the secondary LDAP server.