Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2664
Views
0
Helpful
6
Replies

AnyConnect with multiple radius servers (and DUO)

Go to solution
christopher.wilson
Level 1
Level 1

‎02-25-2020 01:05 PM

Scenario:  We've got a functioning AnyConnect setup, which also uses DUO for multi-factor authentication.  In the near future, I'll need to take down the RADIUS server that's currently being used for AnyConnect AD authentications.  My thought was to add a secondary RADIUS server to the AAA Server Group in the ASA, and have that secondary server continue to authenticate AnyConnect requests during the maintenance.  (It would be nice to just keep this secondary around, during Microsoft patching/reboots, etc.)

 

Creating the secondary NPS server and adding it's IP address to the AAA Server group in the ASA was no problem.  From the built-in "Test" button in ASDM, that initial AD authentication appears to be working.  However, if I shut down the NPS service on the primary RADIUS server, and attempt a new AnyConnect connection, DUO never pops.

 

I didn't originally configure DUO, but I can see it configured as an AAA Server Group in the ASA (in addition to the RADIUS server that does AD authentications.)  I guess I just don't fully understand the traffic "flow" for an incoming AnyConnect session, and what I need to do to get the DUO authentication to pop up, when using the secondary RADIUS server.

 

Thanks for any insight.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎02-26-2020 11:34 AM

Hi,

 

    DUO should speak with the RADIUS/AD server. Here's the traffic flow:

 

https://duo.com/docs/cisco

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎02-25-2020 01:21 PM

Hi,
Does the ASA recognise the Primary RADIUS server is down? Use the command "show aaa-server protocol radius" once you've stopped the service and determine the Server Status.

Potentially the ASA may determine the ASA is actually still up, without testing I don't know of the top of my head how the ASA probes the RADIUS server.

For failover testing I usually define a null route therefore the ASA cannot establish connectivity.

HTH
0 Helpful

Go to solution
christopher.wilson
Level 1
Level 1
In response to Rob Ingram

‎02-25-2020 02:39 PM

Thanks for the suggestion.  While the NPS service was down, I ran the "show aaa-server protocol radius" command, but the output is very strange.  It's showing almost zero authentication requests with the primary RADIUS server, with the last transaction occurring about a week ago.  I brought the NPS service back up, and the ASA is still showing the same output.  DUO is showing thousands of authentications, and lots of data.

 

However, if I review the logs on the RADIUS server itself, I can see a bunch of info related to AnyConnect sessions.  So I know the RADIUS server is being used by the ASA.  (Plus, if I stop the NPS service, AnyConnect no longer can establish a new VPN connection.)

 

Any further ideas on how to troubleshoot?

 

Thanks.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to christopher.wilson

‎02-25-2020 02:46 PM

but when you stop the NPS service does the ASA say the status is active/up or down? Stopping the NPS services doesn't mean the Windows server is down, therefore the ASA might still be sending the requests....hence why it never fails over to the secondary RADIUS server you defined.

As for the stats that could be a bug, what version of ASA do you run?
0 Helpful

Go to solution
christopher.wilson
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 06:12 AM

When I stop the NPS service, the ASA still reports the status as "ACTIVE."  When I disconnect the NIC on the RADIUS/NPS server, the ASA still reports the status as "ACTIVE."  So unfortunately that doesn't look like a good way to test.

 

I should also mention that you can move the RADIUS servers up/down in the AAA group, and putting the secondary server at the top of the list doesn't make a difference.

 

I have an ASA 5508, version 9.4(4)37

 

If there are any more ideas, please let me know.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎02-26-2020 11:34 AM

Hi,

 

    DUO should speak with the RADIUS/AD server. Here's the traffic flow:

 

https://duo.com/docs/cisco

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
christopher.wilson
Level 1
Level 1
In response to Cristian Matei

‎03-05-2020 01:45 PM

Thank you Cristian for the link.  I didn't understand the traffic flow.  I thought that AnyConnect authentications were first hitting the primary RADIUS server.  So I was playing with the AAA server group related to that initial RADIUS server.

 

Turns out, that was a legacy configuration, before we deployed DUO.  The AnyConnect authentications go straight to the internal DUO server, which then communicates to the RADIUS server.  In summary, I didn't need to do ANYTHING on the ASA to get this working.

 

All I had to do was edit the authproxy.cfg file on the internal DUO server, to include a secondary NPS/RADIUS server.  Also, the order of those RADIUS servers (in the authproxy.cfg file) is important.  I had to push the new RADIUS server to the top, to get the DUO prompt to consistently pop on our phones.  I think the timeout settings from the ASA doesn't allow for it to roll through all of the RADIUS servers.  So if you're planning on taking a RADIUS server down for maintenance for an extended time, I would suggest manually editing the DUO's authproxy.cfg and put the online/active RADIUS server at the very top.

 

Thanks again for the tips.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents