Multiple Domains, Multiple Radius Servers

Steven Williams · ‎11-27-2018

Is it possible when dealing with anyconnect for the ASA to read in the domain suffix before a username and know which radius server to send it to in a radius server group? I know you can do this with different connection profiles but I am not trying to confuse the users.

Marius Gunnerud · ‎11-27-2018

The ideal way of doing this is with an ISE.

However, i think you can do this using LDAP. An ASA in single mode can support up to 100 LDAP servers.

--
Please remember to select a correct answer and rate helpful posts

Steven Williams · ‎11-27-2018

I have ISE but I also have the complexity of DUO proxy authentication servers. The issue is getting the ASA to send Radius requests on different ports.

Marius Gunnerud · ‎11-27-2018

So you want the ASA to send RADIUS requests on different ports? any reason why?

Anyway, you can configure the authentication port under the radius server configuration:

aaa-server SVR1 protocol radius

authentication-port 1812

authorization-port 1813

--
Please remember to select a correct answer and rate helpful posts

Sheraz.Salim · ‎11-27-2018

sorry not here to hijack your post
aaa-server SVR1 protocol radius
aaa-server SVR1 (mgmt) host x.x.x.x
key cicso
authentication-port 1812
authorization-port 1813

please do not forget to rate.

Steven Williams · ‎11-27-2018

The issue is there are two forest level domains and currently ISE pulls in the username from anyconnect and looks at a radius attribute and then based on that sends it to the radius tokens on port 1812 or 18120.

Marius Gunnerud · ‎11-27-2018

I don't understand what your issue is. You are just saying that authentication requests are sent to separate servers based on user name domain. You are not saying what the problem is.

In the ISE you can join the ISE to one domain and then configure the other radius servers under External Radius Server then create a policy that uses that External Radius Server for authentication.

--
Please remember to select a correct answer and rate helpful posts

Steven Williams · ‎11-27-2018

Theres some history here so let try and lay that out.

Currently I have this flow of traffic:

User -> Internet -> ASA -> ISE -> Duo Proxy

User types domainA\username and the ASA passes that to ISE, ISE Policy says if your username contains domainA the send radius request to Duo Proxy on port 1812. If user types domainB\username then send radius request to Duo Proxy on port 18120. If Duo Proxy receives request on port 1812 it does an AD lookup on DomainA domain controller, if it receives a request on port 18120 then it does an AD lookup on domainB domain controller.

This setup causes all sorts of issues mainly with delay and timing issues. So now Duo has told me to redesign.

So now it will be:

User -> Internet -> ASA -> Duo Proxy -> ISE

So now the ASA can only send requests to the duo proxy on ONE port, because it doesn't know to send requests for different ports based on domainA\username or domainB\username. So when Duo Proxy receives request on port 1812 it forwards that to ISE and ISE policy says if you get something on Port 1812 do user lookup on domainA domain controller. It will NEVER get any requests on any other port then 1812.

Marius Gunnerud · ‎11-27-2018

I really do not see the issue here. You can still send requests to different RADIUS servers based on the domain. Why are you so fixed on using different ports?

--
Please remember to select a correct answer and rate helpful posts

Steven Williams · ‎11-28-2018

From the ASA's standpoint I guess it doesn't care, I just build my ISE policy to make the choice based on domain suffix and use a identity sequence to achieve this.