Showing results for 
Search instead for 
Did you mean: 

Multiple Domains, Multiple Radius Servers

Steven Williams

Is it possible when dealing with anyconnect for the ASA to read in the domain suffix before a username and know which radius server to send it to in a radius server group? I know you can do this with different connection profiles but I am not trying to confuse the users. 

9 Replies 9

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

The ideal way of doing this is with an ISE.

However, i think you can do this using LDAP.  An ASA in single mode can support up to 100 LDAP servers.

Please remember to select a correct answer and rate helpful posts

I have ISE but I also have the complexity of DUO proxy authentication servers. The issue is getting the ASA to send Radius requests on different ports.

So you want the ASA to send RADIUS requests on different ports?  any reason why?

Anyway, you can configure the authentication port under the radius server configuration:

aaa-server SVR1 protocol radius

  authentication-port 1812

  authorization-port 1813

Please remember to select a correct answer and rate helpful posts

sorry not here to hijack your post
aaa-server SVR1 protocol radius
aaa-server SVR1 (mgmt) host x.x.x.x
key cicso
authentication-port 1812
authorization-port 1813
please do not forget to rate.



The issue is there are two forest level domains and currently ISE pulls in the username from anyconnect and looks at a radius attribute and then based on that sends it to the radius tokens on port 1812 or 18120. 



I don't understand what your issue is.  You are just saying that authentication requests are sent to separate servers based on user name domain.  You are not saying what the problem is.

In the ISE you can join the ISE to one domain and then configure the other radius servers under External Radius Server then create a policy that uses that External Radius Server for authentication.

Please remember to select a correct answer and rate helpful posts

Theres some history here so let try and lay that out.


Currently I have this flow of traffic:


User -> Internet -> ASA -> ISE -> Duo Proxy


User types domainA\username and the ASA passes that to ISE, ISE Policy says if your username contains domainA the send radius request to Duo Proxy on port 1812. If user types domainB\username then send radius request to Duo Proxy on port 18120. If Duo Proxy receives request on port 1812 it does an AD lookup on DomainA domain controller, if it receives a request on port 18120 then it does an AD lookup on domainB domain controller. 


This setup causes all sorts of issues mainly with delay and timing issues. So now Duo has told me to redesign. 


So now it will be:


User -> Internet -> ASA -> Duo Proxy -> ISE 


So now the ASA can only send requests to the duo proxy on ONE port, because it doesn't know to send requests for different ports based on domainA\username or domainB\username. So when Duo Proxy receives request on port 1812 it forwards that to ISE and ISE policy says if you get something on Port 1812 do user lookup on domainA domain controller. It will NEVER get any requests on any other port then 1812. 



I really do not see the issue here.  You can still send requests to different RADIUS servers based on the domain. Why are you so fixed on using different ports?

Please remember to select a correct answer and rate helpful posts

From the ASA's standpoint I guess it doesn't care, I just build my ISE policy to make the choice based on domain suffix and use a identity sequence to achieve this.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers