Cisco ASA Cluster and Radius auth using L2L tunnel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2016 06:52 AM
Hello.
Have a remote site connected using L2L tunnel to HQ office. Each side have two ASA in Active/Standby. Radius server located in HQ office.
I establish tunnel using Active ASA Public IP. When I try to login to Active ASA I'm able to login using Radius credentials. But when I'm trying to login to standby ASA it marks Radius server as failed and proceed with local credentials.
What is recommended solution in that case?
1. Establish one more tunnel HQ<==>StandbyASA for Auth only.
2. Disable access to standby ASA
3. Make Radius server accessible from Public IP.
4. Anything else?
Best,
Victor
- Labels:
-
Remote Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2016 07:08 AM
(1) wont work because it is in standby mode.
(2) if that is acceptable. What about configuring fallback authentication to local mode for when RADIUS is not reachable?
(3) yes that will work.
Does the remote site have a layer 3 switch? If so you could create a new routed subnet and put another ASA interface into it (lets call the interface RADIUS). Then create a static route on the ASA to the RADIUS server via the RADIUS interface via the L3 switch which would route it back via the active ASA and its VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2016 07:18 AM
1. No tunnels could be establshed to standby asa? From what I know, I need to treat active/standby as separate devices when it comes to authentication.
2. Well, they both configured for radius first and local second. Problem is that radius works for active only.
There's a router behind ASA's, but it's outside of my scope. Will try to set route that way. Depending on router setting this might work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-27-2016 07:20 AM
(1) Correct.
