Radius server order

quadrabe · ‎04-06-2022

Hi

We're in the process of transitioning to a new Radius server.

However we would like to login with our old and new credentials.

We've read about the following commands but these only seem to work when a Radius server is dead.

Router(config)# radius-server retry method reorder
Router(config)# radius-server retransmit 0
Router(config)# radius-server transaction max-tries 6

This will not be the case for us. All servers will be online.

Is there a possibility to do this?

Georg Pauwen · ‎04-06-2022

Hello,

not sure I understand what you are trying to accomplish. Do you want the old and the new server both to be online, and to service authentication requests...how ?

quadrabe · ‎04-06-2022

Hi

We would like to login with the old or new account.
If the first Radius server cannot find the account -> authentication fails, the next server should be tried.

However, I did not find any documentation stating this is possible, only when a server is dead.

MHM Cisco World · ‎04-06-2022

...

Georg Pauwen · ‎04-06-2022

Hello,

understood. I don't know if server groups would work here. In the example below, server RADIUS1 would be contacted first, then RADIUS2...

aaa group server radius RAD_GROUP
server name RADIUS1
server name RADIUS2
radius server RADIUS1
address ipv4 192.168.1.11 auth-port 1645 acct-port 1646
key cisco
radius server RADIUS2
address ipv4 192.168.2.11 auth-port 1645 acct-port 1646
key cisco

quadrabe · ‎04-06-2022

Hi

This is the setup we have and debug radius authentication shows us it only queries the first server (192.168.1.11) in your case.

Because this server is alive an authentication attempt to 192.168.2.11 is never made.

Apr 6 2022 15:01:23.923 CEST: RADIUS/ENCODE(00000040):Orig. component type = Exec
Apr 6 2022 15:01:23.923 CEST: RADIUS/ENCODE(00000040): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Apr 6 2022 15:01:23.923 CEST: RADIUS(00000040): Config NAS IP: 172.25.25.228
Apr 6 2022 15:01:23.923 CEST: vrfid: [65535] ipv6 tableid : [0]
Apr 6 2022 15:01:23.923 CEST: idb is NULL
Apr 6 2022 15:01:23.923 CEST: RADIUS(00000040): Config NAS IPv6: ::
Apr 6 2022 15:01:23.924 CEST: RADIUS/ENCODE(00000040): acct_session_id: 4054
Apr 6 2022 15:01:23.924 CEST: RADIUS(00000040): sending
Apr 6 2022 15:01:23.924 CEST: RADIUS: Long password processing
Apr 6 2022 15:01:23.924 CEST: RADIUS(00000040): Send Access-Request to 10.248.0.24:1812 id 1645/56, len 87
RADIUS: authenticator C9 34 41 5A 8F B8 FF 1C - 73 27 09 19 F2 A3 50 66
Apr 6 2022 15:01:23.924 CEST: RADIUS: User-Name [1] 9 "XXX"
Apr 6 2022 15:01:23.924 CEST: RADIUS: User-Password [2] 34 *
Apr 6 2022 15:01:23.924 CEST: RADIUS: NAS-Port [5] 6 3
Apr 6 2022 15:01:23.924 CEST: RADIUS: NAS-Port-Id [87] 6 "tty3"
Apr 6 2022 15:01:23.924 CEST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Apr 6 2022 15:01:23.924 CEST: RADIUS: NAS-IP-Address [4] 6 172.25.25.228
Apr 6 2022 15:01:23.924 CEST: RADIUS(00000040): Sending a IPv4 Radius Packet
Apr 6 2022 15:01:23.924 CEST: RADIUS(00000040): Started 5 sec timeout
Apr 6 2022 15:01:25.927 CEST: RADIUS: Received from id 1645/56 10.248.0.24:1812, Access-Reject, len 20
RADIUS: authenticator 71 ED D4 25 DE 49 6B 85 - 5C 5C 7E 83 7E C5 84 88
Apr 6 2022 15:01:25.928 CEST: RADIUS(00000040): Received from id 1645/56
Apr 6 2022 15:01:27.928 CEST: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: XXX] [Source: 193.190.73.129] [localport: 22] [Reason: Login Authentication Failed] at 15:01:27 CEST Wed Apr 6 2022
Apr 6 2022 15:01:27.947 CEST: RADIUS/ENCODE(00000040): ask "Password: "
Apr 6 2022 15:01:27.947 CEST: RADIUS/ENCODE(00000040): send packet; GET_PASSWORD

quadrabe · ‎04-06-2022

Comment removed due to duplicate.

quadrabe · ‎04-06-2022

That is the setup we have now. However the first server gets queried but as long as it isn't that iOS won't move on to the second.

MHM Cisco World · ‎04-06-2022

The Server group sync together if use same SERVICE or use different SERVICE for each one in group.

So we will see the group as One Host and if that Host die then we will shift to other,

I think the solution here is config Server Host separately, that make R search first one if not find it will go to other one until find the user account or fallback to local.

the R not shift to second same SERVICE as I think because the R think that this Server is Sync.

balaji.bandi · ‎04-06-2022

We would like to login with the old or new account.
If the first Radius server cannot find the account -> authentication fails, the next server should be tried.

No i do not belive this works.

However, I did not find any documentation stating this is possible, only when a server is dead.

yes if this is order of operation.

is this device authentication ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dan Frey · ‎04-06-2022

Take a look at "radius-server directed-request" feature as it allows the client to specify the radius server to use for the session.

balaji.bandi · ‎04-06-2022

OP asked if the user authentication failed need to go to other server ? is this possible, just thinking myself again ?

Take a look at "radius-server directed-request" feature as it allows the client to specify the radius server to use for the session.

radius-server directed-request

To allow users logging into a Cisco netword access server (NAS) to select a RADIUS server for authentication, use the radius-server directed-request command in global configuration mode. To disable the directed-request feature, use the no form of this command.

radius-server directed-request [restricted]

no radius-server directed-request [restricted]

Syntax Description


restricted	(Optional) Prevents the user from being sent to a secondary server if the specified server is not available.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help