Management and Configuration Guide (Includes ACM xl) 2005-12
6-14 ProCurve Secure Access 700wl Series Management and Configuration Guide
Configuring the Network
Configuring Failover with Redundant Access Control
Servers
Please read the section “Enterprise Class Redundancy” on page 2-17 in Chapter 2, “Configuring the
Network”
Note:
An Integrated Access Manager cannot be used as a peer in a redundant configuration.
The 700wl Series system supports multiple Access Control Servers for Access Control Server
redundancy and failover. Access Control Server failover provides high availability operation for clients
in case of system outages, network failures, etc. The primary Access Control Server functions as a
normal Access Control Server, servicing the connected Access Controllers requests for authentication,
rights administration, and other functions. The redundant Access Control Server is synchronized with
the primary Access Control Server through a combination of database replication, message/state
replication, and configuration replication, and is kept synchronized via incremental SQL updates.
To set up a redundant Access Control Server configuration, the following is required:
• Two peer Access Control Servers, each running version 4.0 or later software, must exist on the
network, and be mutually reachable.
•One of these Access Control Servers must have the
Preferred Primary Access Control Server option
checked as part of the Access Control Server setup under the System Components tab of the
Network pages. Only one of the peer Access Control Servers may have this option checked.
• Both Access Control Servers (and all Access Controllers) must be configured with the same shared
secret in order to communicate with each other and with the Access Controllers under their control.
• As Access Controllers are installed on the network, they should be configured with the IP address
of the Preferred Primary Access Control Server. Access Controllers in a configuration with
redundant Access Control Servers receive the address of the peer Access Control Server from the
Primary Access Control Server.
The process of configuring a 700wl Series system to use redundant Access Control Servers is as follows:
Step 1. Select one of the two Access Control Servers to function as the Preferred Primary Access Control
Server. This Access Control Server will be the one that initially manages the Access Controllers
associated with the 700wl Series system, and will be the one responsible for initiating the
redundant peer relationship with its peer Access Control Server. In addition, in case of a
simultaneous reboot of both peer Access Control Servers, the one designated the Preferred
Primary will take control of the associated Access Controllers.
Step 2. Prepare a second Access Control Server to function as a redundant peer by configuring its
shared secret to be the same as the Primary Access Control Server’s shared secret. The second
peer Access Control Server must not be designated as the Preferred Primary Access Control
Server. This Access Control Server does not need to be configured beyond the basic network
configuration settings—once the process of synchronization with its peer begins, most
configuration information on the secondary Access Control Server will be overwritten by the
configuration from the Primary Access Control Server.
Step 3. On the Primary Access Control Server, provide a name, for the peer Access Control Server,
enter the IP address of the second Access Control Server as the Peer IP Address, check the
Preferred Primary Access Control Server setting, and Save these changes.