cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3005
Views
0
Helpful
6
Replies

AnyConnect with multiple radius servers (and DUO)

Scenario:  We've got a functioning AnyConnect setup, which also uses DUO for multi-factor authentication.  In the near future, I'll need to take down the RADIUS server that's currently being used for AnyConnect AD authentications.  My thought was to add a secondary RADIUS server to the AAA Server Group in the ASA, and have that secondary server continue to authenticate AnyConnect requests during the maintenance.  (It would be nice to just keep this secondary around, during Microsoft patching/reboots, etc.)

 

Creating the secondary NPS server and adding it's IP address to the AAA Server group in the ASA was no problem.  From the built-in "Test" button in ASDM, that initial AD authentication appears to be working.  However, if I shut down the NPS service on the primary RADIUS server, and attempt a new AnyConnect connection, DUO never pops.

 

I didn't originally configure DUO, but I can see it configured as an AAA Server Group in the ASA (in addition to the RADIUS server that does AD authentications.)  I guess I just don't fully understand the traffic "flow" for an incoming AnyConnect session, and what I need to do to get the DUO authentication to pop up, when using the secondary RADIUS server.

 

Thanks for any insight.

 

 

1 Accepted Solution

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    DUO should speak with the RADIUS/AD server. Here's the traffic flow:

 

https://duo.com/docs/cisco

 

Regards,

Cristian Matei.

View solution in original post

6 Replies 6

Hi,
Does the ASA recognise the Primary RADIUS server is down? Use the command "show aaa-server protocol radius" once you've stopped the service and determine the Server Status.

Potentially the ASA may determine the ASA is actually still up, without testing I don't know of the top of my head how the ASA probes the RADIUS server.

For failover testing I usually define a null route therefore the ASA cannot establish connectivity.

HTH

Thanks for the suggestion.  While the NPS service was down, I ran the "show aaa-server protocol radius" command, but the output is very strange.  It's showing almost zero authentication requests with the primary RADIUS server, with the last transaction occurring about a week ago.  I brought the NPS service back up, and the ASA is still showing the same output.  DUO is showing thousands of authentications, and lots of data.

 

However, if I review the logs on the RADIUS server itself, I can see a bunch of info related to AnyConnect sessions.  So I know the RADIUS server is being used by the ASA.  (Plus, if I stop the NPS service, AnyConnect no longer can establish a new VPN connection.)

 

Any further ideas on how to troubleshoot?

 

Thanks.

but when you stop the NPS service does the ASA say the status is active/up or down? Stopping the NPS services doesn't mean the Windows server is down, therefore the ASA might still be sending the requests....hence why it never fails over to the secondary RADIUS server you defined.

As for the stats that could be a bug, what version of ASA do you run?

When I stop the NPS service, the ASA still reports the status as "ACTIVE."  When I disconnect the NIC on the RADIUS/NPS server, the ASA still reports the status as "ACTIVE."  So unfortunately that doesn't look like a good way to test.

 

I should also mention that you can move the RADIUS servers up/down in the AAA group, and putting the secondary server at the top of the list doesn't make a difference.

 

I have an ASA 5508, version 9.4(4)37

 

If there are any more ideas, please let me know.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    DUO should speak with the RADIUS/AD server. Here's the traffic flow:

 

https://duo.com/docs/cisco

 

Regards,

Cristian Matei.

Thank you Cristian for the link.  I didn't understand the traffic flow.  I thought that AnyConnect authentications were first hitting the primary RADIUS server.  So I was playing with the AAA server group related to that initial RADIUS server.

 

Turns out, that was a legacy configuration, before we deployed DUO.  The AnyConnect authentications go straight to the internal DUO server, which then communicates to the RADIUS server.  In summary, I didn't need to do ANYTHING on the ASA to get this working.

 

All I had to do was edit the authproxy.cfg file on the internal DUO server, to include a secondary NPS/RADIUS server.  Also, the order of those RADIUS servers (in the authproxy.cfg file) is important.  I had to push the new RADIUS server to the top, to get the DUO prompt to consistently pop on our phones.  I think the timeout settings from the ASA doesn't allow for it to roll through all of the RADIUS servers.  So if you're planning on taking a RADIUS server down for maintenance for an extended time, I would suggest manually editing the DUO's authproxy.cfg and put the online/active RADIUS server at the very top.

 

Thanks again for the tips.