Solved: ASAv Can authentication with more Radius server ?

jewfcb001 · ‎03-08-2022

Hi All ,

I would like to know ASAv can authentication with more Radius server in VPN Tunnel ?

In configuration below. If I have 2 radius group on ASAv and 2 tunnel / group-policy . can i separate

radius group depend on tunnel-group or not ?

Example Configuration.

Configuration on ASAv

aaa-server ISE protocol radius

aaa-server ISE (INTERNAL) host 1.1.1.1

key *****

aaa-server ISE-2 protocol radius

aaa-server ISE-2 (INTERNAL) host 2.2.2.2

key *****

group-policy TEST attributes

group-lock value TEST

tunnel-group TEST type remote-access

tunnel-group TEST general-attributes

authentication-server-group ISE

accounting-server-group ISE

group-policy TEST-2 attributes

group-lock value TEST-2

tunnel-group TEST-2 type remote-access

tunnel-group TEST-2 general-attributes

authentication-server-group ISE-2

accounting-server-group ISE-2

Thank you .

Sheraz.Salim · ‎03-08-2022

you have already showing us your configuration in your first post right.

now for you to map them with radius attribute 25 you need to make change on the ISE1 and ISE2 applinacnes. ISE attribute config with VPN tunnel check this link out will put you in the right direction.

in order to separate the tunnel authentication you have two ISE server with different ip address so when the traffic will land on the right tunnel group is will force/push it to get authenticate. which is configured in your tunnel setup i.e ISE1 for tunnel1 and so on. however in order to get this work you also need to do configuration on ISE appliacnes I have pasted the link up and have look at it and make changes accordingly. Have you configured the ISE1 and ISE2 yet?

please do not forget to rate.

View solution in original post

Marvin Rhoads · ‎03-08-2022

@jewfcb001 yes, you can have many tunnel-groups that use many RADIUS server groups.

View solution in original post

Karsten Iwen · ‎03-08-2022

I am not really sure what you want to achieve. I assume you want to use redundant RADIUS-servers in your VPN-Config? That is possible:

aaa-server NPS-DE protocol radius
aaa-server NPS-DE (inside) host 10.10.10.1
 key *****
 authentication-port 1812
 accounting-port 1813
aaa-server NPS-DE (inside) host 10.10.10.2
 key *****
 authentication-port 1812
 accounting-port 1813

jewfcb001 · ‎03-08-2022

@Karsten Iwen

Thank you for information . but I want to separate radius group on tunnel-group vpn . I'm not sure ASAv can do with my requirement.

Sheraz.Salim · ‎03-08-2022

yes you can do that. you can also use the command on cli

test aaa-server authentication ISE1 host x.x.x.x.x username teste password Password123

test aaa-server authentication ISE2 host x.x.x.x.x username teste password Password123

is your ISE is in personas mode? if that is the case than if the Admin prim fail the Admin secondary will become active itself you do not have to worry about from the ASA point of view.

please do not forget to rate.

jewfcb001 · ‎03-08-2022

@Sheraz.Salim

I would like to separate radius group with tunnel-group vpn . It's not case admin ise fail .

Sheraz.Salim · ‎03-08-2022

Hi @jewfcb001 if these Radius server are on different subnet as you showing in your configuration and they are not part of ISE personas. in that case you can separate the authentication for each individual tunnel. this will work.

The reason it will work is as tunnel will have configuration of each different radius server and point it to authentication to ISE1 and ISE2 when ever a tunnel1 traffic come and it will move the packet (authentication) to ISE1 and tunnel2 will move the traffic to ISE2.

Now if you want to configure the fallback method you can also do that ini tunnel1 setting to put the secondary authentication server ip address.

please do not forget to rate.

jewfcb001 · ‎03-08-2022

@Sheraz.Salim

Thank you for answer . i have a small question about authentication for each individual tunnel. Now in my scenario i have radius attribute class 25 for separate group-policy but If i have 2 radius group how asav separate tunnel with radius group. ?

The reason it will work is as tunnel will have configuration of each different radius server and point it to authentication to ISE1 and ISE2 when ever a tunnel1 traffic come and it will move the packet (authentication) to ISE1 and tunnel2 will move the traffic to ISE2.

Ans : how to separate can you explain more the detail ?

Now if you want to configure the fallback method you can also do that ini tunnel1 setting to put the secondary authentication server ip address.

Ans : No I don't have to fallback method .

Sheraz.Salim · ‎03-08-2022

you have already showing us your configuration in your first post right.

now for you to map them with radius attribute 25 you need to make change on the ISE1 and ISE2 applinacnes. ISE attribute config with VPN tunnel check this link out will put you in the right direction.

in order to separate the tunnel authentication you have two ISE server with different ip address so when the traffic will land on the right tunnel group is will force/push it to get authenticate. which is configured in your tunnel setup i.e ISE1 for tunnel1 and so on. however in order to get this work you also need to do configuration on ISE appliacnes I have pasted the link up and have look at it and make changes accordingly. Have you configured the ISE1 and ISE2 yet?

please do not forget to rate.

jewfcb001 · ‎03-08-2022

@Sheraz.Salim

Have you configured the ISE1 and ISE2 yet?

Yes . I have 2 ISE

From your link i think similar with my scenario but my scenario i want to more tunnel-group / aaa group

Sheraz.Salim · ‎03-08-2022

Yes. In that case you can go ahead and configured the configuration. you can do multiple tunnel authentication setup. for example for Tunnel1 for ISE1 and for Tunnel2 for ISE2 etc.

please do not forget to rate.

jewfcb001 · ‎03-08-2022

@Sheraz.Salim

Thank you so much for information . I will try it .

balaji.bandi · ‎03-08-2022

I think it is possible :

https://www.petenetlive.com/KB/Article/0001474

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jewfcb001 · ‎03-08-2022

@balaji.bandi

Thank you for information . From your URL i think he use 1 radius group with more group-policy . From my scenario I use 1 radius group and separate group-policy with radius attribute class 25 but i would like to more radius-group with more group-policy.

I'm not sure .I explain you to understand or not ?

BR,

Marvin Rhoads · ‎03-08-2022

You can have many groups of RADIUS servers, each with multiple members.

A given tunnel-group (also known as connection profile) points to a given RADIUS server group. It will try the first server in the group and, as long as it responds, keep using it. If it fails for any reason, the ASA will try to authenticate against the second one (or other subsequent server(s)).

jewfcb001 · ‎03-08-2022

@Marvin Rhoads

If I have more tunnel-group . Can i configure radius server per tunnel-group ?

example

Radius server Group 1 --- > MAP Tunnel-group 1

Radius server Group 2 --- > MAP Tunnel-group 2

My goal not relate radius group redundant .

Thank you .