Solved: Setup Radius Servers in Active/Passive Mode

dianewalker · ‎05-12-2011

we setup two ASA's load balancing (Active/Active). We also setup two Radius servers with Load Balancing. Right now, the Radius servers are setup with Active/Active. Is there a way to setup a Radius server with (Active/Passive)?

aaa-server Radius protocol radius
aaa-server Radius (Inside) host XXX.XXX.XXX.XXX
timeout 300
key *****
radius-common-pw *****

aaa-server Radius (Inside) host XXX.XXX.XXX.XXX
timeout 300
key *****
radius-common-pw *****

aaa accounting enable console Radius

Thanks.

Diane

Herbert Baerten · ‎05-18-2011

Diane,

well I'm still not 100% sure I understand what is happening exactly. Normally, on a single ASA, authentication is always done to the same radius server until it fails (i.e. active/passive as you call it).

Now, you mention you have 2 ASAs in load balancing, so I'm not sure if you mean that:

1) 2 users that connect to the same ASA, get authenticated by 2 different radius servers (should never happen)

or

2) when 2 users connect to the cluster, user1 gets redirected to ASA1 and authenticated on Radius1 while user2 gets redirected to ASA2 which uses Radius2 for auth. This could be normal if both ASAs are configured differently (radius servers defined in different order) or if one ASA had a problem connecting to Radius1 at some time and so considered it out of service.

In any case, "sh aaa-server protocol radius" and "debug radius all" may help to determine why a particular asa is not using the primary (first configured) radius server.

hth

Herbert

View solution in original post

Herbert Baerten · ‎05-18-2011

Hi Diane,

I'm not sure if I understand the question, could you please clarify/rephrase?

tnx

Herbert

dianewalker · ‎05-18-2011

Thanks Herbert.

We have two Radius servers. Currently, they are setup as Active/Active. So, the first user logins to Cisco VPN client, he is authenticated to Radius server1. The next user logins to Cisco VPN client, he is authenticated to Radius server2. The third user logins to Cisco VPN client, he is authenticated to Radius server1. The fourth user logins to Cisco VPN client, he is authenticated to Radius server2 and so on.

What I want to setup is Active/Passive for Radius servers. Radius server1 is active and Radius server2 is passive. When Radius server1 is available, everyone is authenticated to it. When Radius server1 is not available, Radius server2 becomes Active. So, all the users login to Cisco VPN client will always authenticate to Radius server1.

Please let me know if it is still not clear.

Thanks.

Diane

Herbert Baerten · ‎05-18-2011

Diane,

well I'm still not 100% sure I understand what is happening exactly. Normally, on a single ASA, authentication is always done to the same radius server until it fails (i.e. active/passive as you call it).

Now, you mention you have 2 ASAs in load balancing, so I'm not sure if you mean that:

1) 2 users that connect to the same ASA, get authenticated by 2 different radius servers (should never happen)

or

2) when 2 users connect to the cluster, user1 gets redirected to ASA1 and authenticated on Radius1 while user2 gets redirected to ASA2 which uses Radius2 for auth. This could be normal if both ASAs are configured differently (radius servers defined in different order) or if one ASA had a problem connecting to Radius1 at some time and so considered it out of service.

In any case, "sh aaa-server protocol radius" and "debug radius all" may help to determine why a particular asa is not using the primary (first configured) radius server.

hth

Herbert