Solved: ASA can backup aaa-server group

jewfcb001 · ‎04-04-2022

Hi All,

I would like to know ASA can configure aaa-server group for backup if aaa-server primary down ?

as configuration below. If Radius-1 group fail can i configure automatic to switchover to Raidius-2 group.?

aaa-server Radius-1 protocol radius
aaa-server Radius-1 (inside) host 10.10.10.1
key xxx
aaa-server Radius-1 (inside) host 10.10.10.2
key xxx

aaa-server Radius-2 protocol radius
aaa-server Radius-2 (inside) host 20.20.20.1
key xxx
aaa-server Radius-2 (inside) host 20.20.20.2
key xxx

aaa authentication http console Radius-1 LOCAL
aaa authentication enable console Radius-1 LOCAL
aaa authentication serial console Radius-1 LOCAL
aaa authentication ssh console Radius-1 LOCAL

Thank you .

MHM Cisco World · ‎04-04-2022

I search and check both command reference and ASDM, both point to same
YOU CAN USE ONLY ONE GROUP for each auth/authz/account and additional you can select Local as fallback and this recommend.

So sorry even if you have multi group only one support with aaa auth http .........etc.

View solution in original post

Sheraz.Salim · ‎04-04-2022

I have double check on the command line no you would only able to called the Radius-1 in aaa authentication. you cant call the Radius-2 authentication. one server group name at one time.

but what you can do is called all the ip addresses in Radius-1 In case if 1 ip not available it will fallback to other and so on.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎04-04-2022

The order would be in your case Inside the first radius-1 will checked if not reachable it will go to second. same for Radius-2

however you need to call Radus-2 in your aaa authentication.

The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.

If you configured a fallback method using the local database (for management access only; see the "Configuring AAA for System Administrators" section on page 40-5 and the "Configuring TACACS+ Command Authorization" section on page 40-11 to configure the fallback mechanism), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.

If you do not have a fallback method, the security appliance continues to retry the servers in the group.

c.

If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/aaa.html

please do not forget to rate.

jewfcb001 · ‎04-04-2022

@Sheraz.Salim

however you need to call Radus-2 in your aaa authentication.

- you mean i need to manual edit configuration my understand correct ? don't have any way to do automatic .

MHM Cisco World · ‎04-04-2022

I search and check both command reference and ASDM, both point to same
YOU CAN USE ONLY ONE GROUP for each auth/authz/account and additional you can select Local as fallback and this recommend.

So sorry even if you have multi group only one support with aaa auth http .........etc.

Sheraz.Salim · ‎04-04-2022

I have double check on the command line no you would only able to called the Radius-1 in aaa authentication. you cant call the Radius-2 authentication. one server group name at one time.

but what you can do is called all the ip addresses in Radius-1 In case if 1 ip not available it will fallback to other and so on.

please do not forget to rate.

jewfcb001 · ‎04-04-2022

Thank for answer .

as your mention @MHM Cisco World about I can configure only 1 aaa-group for aaa authentication . can you provide official document for me ?

Sheraz.Salim · ‎04-04-2022

yes here the the link

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/aaa-radius.html

you can add all the ip address in one group server the default is 3 but you can add up to 1 to 5

please do not forget to rate.

jewfcb001 · ‎04-04-2022

@Sheraz.Salim

Thank you for information .

you can add all the ip address in one group server

as your mention . I worry asa will be confuse because radius-1 and radius-2 not sync database or session .

Sheraz.Salim · ‎04-04-2022

Is 10.x.x.x and 20.x.x.x are behind asa inside interface?

oh ok I got you. The 10 rang and 20 range radius serves are not syn

In that’s case you have limited options either you can use 10 or 20. But if range 10 is not responding than 20 will kick in

please do not forget to rate.

Sheraz.Salim · ‎04-04-2022

you can added them in one server the ip addresses.

aaa-server Radius-1 protocol radius
aaa-server Radius-1 (inside) host 10.10.10.1
key xxx
aaa-server Radius-1 (inside) host 10.10.10.2
key xxx
aaa-server Radius-1 protocol radius
aaa-server Radius-1 (inside) host 20.20.20.1
key xxx
aaa-server Radius-1 (inside) host 20.20.20.2
key xxx
aaa authentication http console Radius-1 LOCAL
aaa authentication enable console Radius-1 LOCAL
aaa authentication serial console Radius-1 LOCAL
aaa authentication ssh console Radius-1 LOCAL

The range is from 1 and 5. The default is 3.

If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, or their responses are invalid, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.

If you do not have a fallback method, the ASA continues to retry the servers in the group.

please do not forget to rate.

jewfcb001 · ‎04-04-2022

From @Sheraz.Salim @MHM Cisco World

I would like to summarize. ASA can apply only 1 aaa-server group for aaa authentication .

Sheraz.Salim · ‎04-04-2022

you can have multiple aaa-server in your firewall (asa)

aaa-server Radius1 protocol radius
 max-failed-attempts 5
aaa-server Radius1 (MGMT) host 172.x.x.x
 timeout 60
 key *****
 authentication-port 1812
!
aaa-server Radius2 protocol radius
 max-failed-attempts 5
aaa-server Radius2 (MGMT) host 172.x.x.x
 timeout 60
 key *****
 authentication-port 1812

as these aaa-server are used in for authentication purposes (any-connect-authentication,remote access authentication etc).

having said but for aaa-authentication you can only call in one server. only one not more than one as CLI and ASDM wont allow it if you try to add "aaa authentication http console Radius-2 LOCAL" it will give you error "Range already exists." assume Radius-2 Is defined in aaa-server.

aaa authentication http console Radius-1 LOCAL
aaa authentication enable console Radius-1 LOCAL
aaa authentication serial console Radius-1 LOCAL
aaa authentication ssh console Radius-1 LOCAL

Conclusion: in your case you can not add aaa authentication with Radius1 and Radius2. either Radius1 or Radius2 will work.

hope it will help and clear your understanding.

please do not forget to rate.