Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
5
Helpful
2
Replies

Radius service single point of failure (AD).

from88
Level 4
Level 4

‎09-14-2017 06:57 AM - edited ‎03-08-2019 12:02 PM

Hello,

Deployed Radius M$ NPS service on CISCO devices. The AAA configuration (is default as usual). First to check for radius reachability, and then if the both radius servers is unavailable check in LOCAL db.

The main concern is what to do if the communication between a radius and AD (active directory) is down. In that case the radius is still reachable and sending the connection rejects because cant connect to AD.

Maybe you have some ideas how to be ready for that disaster ? For example in that worst-case-scenario it'd be nice to have a possiblity to disable the radius service, and then use LOCAL accounts on devices. But we're thinking of scenario where we couldn't turn of the radius service. So maybe any advices ?

One solution was on the devices where radius servers is connected - do the LOCAL authentification first and then RADIUS, but on NX-OS devices this configuration is not possible.

The other nice thing would be, that if NPS can't connect to the AD - it would not send the access REJECTS.


Thanks.

Labels:
0 Helpful
2 Replies 2

Francesco Molino
VIP Alumni
VIP Alumni

‎09-15-2017 08:18 PM

Hi

I guess you've already configured the authentication dead vlan and radius automated-tester on your switch.

Now on Cisco ISE, under the authentication rules if you go on your identity source, you gonna see that if process fails, the authentication is dropped.
That means if AD isn't answering back to ise, ise will drop the authentication and the switch will fallback in dead vlan due to no answer.

This is the way how the case of radius up but AD down is managed.
Test it and you'll see how it's working.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

from88
Level 4
Level 4
In response to Francesco Molino

‎09-15-2017 10:44 PM

Thank you, but im not using a CISCO ISE.

 

Just plain Radius configuration with two servers. We evaluate the scenario where AD is not reachable AND the radius servers are unreachable only from the management-office, but not from devices itself. - It's very hard to imagine if that'd happen. Because if the AD gets unreachable - we connect to physical radius servers and stop the radius service manualy - after that we'd use local authentification in devices. But in most worst (real) scenario if the AD is down AND the servers are uncreachable from management office - they would likely be unreachable from the devices itselfs too.

0 Helpful
Customers Also Viewed These Support Documents