Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
3
Replies

**** REMOTE ACCESS VPN WITH RSA AUTH MANAGER***

Jean Paul Enerst
Level 3
Level 3

‎10-16-2013 10:02 AM - edited ‎02-21-2020 07:14 PM

Hi all,

            I am currently working on this project to migrate our current working RSA Auth Manager server from our Branch to the DC. Since the current RSA server is quite old,  i have decided to build a new one with 8.0 Manager. The new server has been configured, and new token has been uploaded to it as well. Now it's time to tight new server with the ASA VPN tunnel. My goal is to tight the new server with the tunnel without disrupting traffic with the old server(I don't know a few settings for the old server usch as radius password;therefore, if i take the risk of delete or make any change, i may not be able to get it to work). I know the commands to type, but my question is since the old server will be at the top, how would i go to send authentication request to the second server on the list, in this case my newly added RSA server?

I also would like to keep the old server running while i am testing 8.0 server. Would like to keep the old server for up to 3 months;therefore, would like to have both servers authenticate clients..

That's the challenge that i am facing,

Thank you all for the help,

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-17-2013 12:44 AM

Jean Paul,

If the RADIUS key is in the config you can still get it out... from proviliged exec:

 more system:running-config

If you want to go to the next server on the list, you can use aaa-server priviliged exec command to switch the server on and off. 

 aaa-server TEST fail host 1.2.3.4

However please be aware of the re-activation mode you have (timed or depletion) it looks like you might need to use "depletion" mode in your case.

HTH,

M.

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Marcin Latosiewicz

‎10-28-2013 04:30 PM

Thanks Marcin.

I have infact get the key from the config for the current RSA MA server, but i am still reluctant to just remove the server since i am still testing. Therefore, i don't want to touch that server till i am 100% certain the new one is configured and runninf properly.

As per priority, i have tried the fail/active command in the ASA.

i have issued:

     aaa-server rsa fail host 192.168.xx.x1

     aaa-server rsa2 active host 192.16x.xx.x2

But since rsa(192.168.3.41) is that the top of the list,when i tried(test) to authenticate, it becomes active on his own. The packets never made it to rsa2!!

Any other ideas??

Thanks,

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Jean Paul Enerst

‎10-29-2013 01:37 AM

As I said, you need to check the ractivation method (depletion or timed).

Also In your case the servers are in different group (rsa and rsa2) so they do not form a logical list.

0 Helpful
Customers Also Viewed These Support Documents