Re: Cisco ISR connecting to two AAA servers for authentication

jdesaul · ‎06-26-2018

Hello,

Please see attached diagram.

In my network, there is a Cisco ISR that is co-managed by two different administrators. Each administrator's credentials are held on its own separate AAA server.

Is there a way for the Cisco ISR to have an AAA authentication configuration to support this design? For example:

- when administrator #1 attempts an SSH session to the ISR, can the ISR validate his credentials to the AAA server "blue"?

- when administrator #2 attempts an SSH session to the ISR, can the ISR validate his credentials to the AAA server "red"?

I am not 100% sure if the Cisco ISR can support this and wanted to confirm - I have a feeling that as long as the first AAA server is functional and returning a response, the second AAA server will not be consulted for authentication.

Thank you,

Joel

balaji.bandi · ‎06-26-2018

Best Approach - Make a 2 Groups in one AAA (Club AAA 2 in to 1 and make active standby) and add the users in the Group.

Other Options :

AAA Server can send the request to other AAA Server act as a proxy. (this required bit tweaking in config and more complicated than expected)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help