05-12-2011 12:40 PM
we setup two ASA's load balancing (Active/Active). We also setup two Radius servers with Load Balancing. Right now, the Radius servers are setup with Active/Active. Is there a way to setup a Radius server with (Active/Passive)?
aaa-server Radius protocol radius
aaa-server Radius (Inside) host XXX.XXX.XXX.XXX
timeout 300
key *****
radius-common-pw *****
aaa-server Radius (Inside) host XXX.XXX.XXX.XXX
timeout 300
key *****
radius-common-pw *****
aaa accounting enable console Radius
Thanks.
Diane
Solved! Go to Solution.
05-18-2011 01:32 PM
Diane,
well I'm still not 100% sure I understand what is happening exactly. Normally, on a single ASA, authentication is always done to the same radius server until it fails (i.e. active/passive as you call it).
Now, you mention you have 2 ASAs in load balancing, so I'm not sure if you mean that:
1) 2 users that connect to the same ASA, get authenticated by 2 different radius servers (should never happen)
or
2) when 2 users connect to the cluster, user1 gets redirected to ASA1 and authenticated on Radius1 while user2 gets redirected to ASA2 which uses Radius2 for auth. This could be normal if both ASAs are configured differently (radius servers defined in different order) or if one ASA had a problem connecting to Radius1 at some time and so considered it out of service.
In any case, "sh aaa-server protocol radius" and "debug radius all" may help to determine why a particular asa is not using the primary (first configured) radius server.
hth
Herbert
05-18-2011 07:55 AM
Hi Diane,
I'm not sure if I understand the question, could you please clarify/rephrase?
tnx
Herbert
05-18-2011 11:25 AM
Thanks Herbert.
We have two Radius servers. Currently, they are setup as Active/Active. So, the first user logins to Cisco VPN client, he is authenticated to Radius server1. The next user logins to Cisco VPN client, he is authenticated to Radius server2. The third user logins to Cisco VPN client, he is authenticated to Radius server1. The fourth user logins to Cisco VPN client, he is authenticated to Radius server2 and so on.
What I want to setup is Active/Passive for Radius servers. Radius server1 is active and Radius server2 is passive. When Radius server1 is available, everyone is authenticated to it. When Radius server1 is not available, Radius server2 becomes Active. So, all the users login to Cisco VPN client will always authenticate to Radius server1.
Please let me know if it is still not clear.
Thanks.
Diane
05-18-2011 01:32 PM
Diane,
well I'm still not 100% sure I understand what is happening exactly. Normally, on a single ASA, authentication is always done to the same radius server until it fails (i.e. active/passive as you call it).
Now, you mention you have 2 ASAs in load balancing, so I'm not sure if you mean that:
1) 2 users that connect to the same ASA, get authenticated by 2 different radius servers (should never happen)
or
2) when 2 users connect to the cluster, user1 gets redirected to ASA1 and authenticated on Radius1 while user2 gets redirected to ASA2 which uses Radius2 for auth. This could be normal if both ASAs are configured differently (radius servers defined in different order) or if one ASA had a problem connecting to Radius1 at some time and so considered it out of service.
In any case, "sh aaa-server protocol radius" and "debug radius all" may help to determine why a particular asa is not using the primary (first configured) radius server.
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide