JamesKillilea (Customer) asked a question.
I've got a primary and replica instance set up. What all do i have to do to get the replica to authenticate in the event of a failover.
Related Questions
Nothing found
Loading
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to… RSA Release Notes: Cloud Access Service and RSA Authenticators Update an existing RSA Cloud Authentication Service Integrated Windows Authentication (IWA) Connector Identity Provider SA… Quick Setup Guide - Connect Authentication Manager to Cloud Access Service with an Embedded Identity Router
Don't see what you're looking for?
Hello James. The Primary does not failover to the Replica. The Primary and Replica always active waiting to answer Authentication Requests.
Failover happens at the device sending the authentication requests. In Radius the Primary and Replica are setup in the Radius configuration on the NAS device as a Primary and Secondary Radius server. if you are using the older UDP agent (Port 5500) . You have to do an Automatic Rebalance in the Security Console to update the contact list. If you are using the REST based MFA Agent. You configure the Primary and Replica URL's separated by commas.
Frank,
Now I am even more confused. If i go unplug my RSA appliance from the stack right now, how do I authenticate after my 14 offline days are up?
My original understanding of the replica was that it is a virtual copy of the primary instance that is used for disaster recovery and failover. The way I understand the deployment of the replica is that it attaches itself to the primary like a pilot fish to a shark. Are there more steps to make it automatically failover? Or is what youre saying that the replica is loitering, waiting for an authentication request?
Hello James; I don't know how far back your original understanding is from. But Failover has been the same since I started in 2006 (Circa ACE 5.2)
and your understanding is incorrect. You are correct in that the Replica is a virtual copy of the Primary. but that's it. The Primary and Replica are always listening for authentication requests to the point that agents can load balance themselves and the agents can send authentication requests to any AM server. They don't have to send authentication requests to just the Primary. If you have a UDP agent installed in a DR center and a Replica in the same DR center. The agent will detect that the DR Replica is closest and send all it's requests to it.
My background is in Routing and Switching. If you are familiar with VRRP (Virtual Router Redundancy Protocol). That is not how the AM servers work. The Replica is not a Hot Standby. It is always active.
To reiterate what I said in my previous response. Failover happens at the device that is send the authentication request whether it's the older UDP agent, The MFA Agent or a NAS device using Radius. The UDP agent does this automatically. The MFA agent and Radius are a more manual configuration. If your agents and Radius clients are configured correctly. They will detect that your Primary is not available and send requests to the Replica.
Frank,
Thank you for the clarification. After re-examining my appliance i have been able to deliver what my supervisor needs without realizing that i had done it already. I appreciate your assistance! By the way, I was in 6th grade in 2006.