Scenario: We've got a functioning AnyConnect setup, which also uses DUO for multi-factor authentication. In the near future, I'll need to take down the RADIUS server that's currently being used for AnyConnect AD authentications. My thought was to add a secondary RADIUS server to the AAA Server Group in the ASA, and have that secondary server continue to authenticate AnyConnect requests during the maintenance. (It would be nice to just keep this secondary around, during Microsoft patching/reboots, etc.)
Creating the secondary NPS server and adding it's IP address to the AAA Server group in the ASA was no problem. From the built-in "Test" button in ASDM, that initial AD authentication appears to be working. However, if I shut down the NPS service on the primary RADIUS server, and attempt a new AnyConnect connection, DUO never pops.
I didn't originally configure DUO, but I can see it configured as an AAA Server Group in the ASA (in addition to the RADIUS server that does AD authentications.) I guess I just don't fully understand the traffic "flow" for an incoming AnyConnect session, and what I need to do to get the DUO authentication to pop up, when using the secondary RADIUS server.
Thanks for any insight.
Solved! Go to Solution.
Thanks for the suggestion. While the NPS service was down, I ran the "show aaa-server protocol radius" command, but the output is very strange. It's showing almost zero authentication requests with the primary RADIUS server, with the last transaction occurring about a week ago. I brought the NPS service back up, and the ASA is still showing the same output. DUO is showing thousands of authentications, and lots of data.
However, if I review the logs on the RADIUS server itself, I can see a bunch of info related to AnyConnect sessions. So I know the RADIUS server is being used by the ASA. (Plus, if I stop the NPS service, AnyConnect no longer can establish a new VPN connection.)
Any further ideas on how to troubleshoot?
When I stop the NPS service, the ASA still reports the status as "ACTIVE." When I disconnect the NIC on the RADIUS/NPS server, the ASA still reports the status as "ACTIVE." So unfortunately that doesn't look like a good way to test.
I should also mention that you can move the RADIUS servers up/down in the AAA group, and putting the secondary server at the top of the list doesn't make a difference.
I have an ASA 5508, version 9.4(4)37
If there are any more ideas, please let me know.
Thank you Cristian for the link. I didn't understand the traffic flow. I thought that AnyConnect authentications were first hitting the primary RADIUS server. So I was playing with the AAA server group related to that initial RADIUS server.
Turns out, that was a legacy configuration, before we deployed DUO. The AnyConnect authentications go straight to the internal DUO server, which then communicates to the RADIUS server. In summary, I didn't need to do ANYTHING on the ASA to get this working.
All I had to do was edit the authproxy.cfg file on the internal DUO server, to include a secondary NPS/RADIUS server. Also, the order of those RADIUS servers (in the authproxy.cfg file) is important. I had to push the new RADIUS server to the top, to get the DUO prompt to consistently pop on our phones. I think the timeout settings from the ASA doesn't allow for it to roll through all of the RADIUS servers. So if you're planning on taking a RADIUS server down for maintenance for an extended time, I would suggest manually editing the DUO's authproxy.cfg and put the online/active RADIUS server at the very top.
Thanks again for the tips.