Solved: Setup secondary AAA server for radius VPN authentication

Travis-Fleming · ‎06-15-2021

Hey guys, below is the config I'm using to setup Duo with my VPN Anyconnect for an internal proxy server. It works great. However is there a way to add a secondary AAA server in case 172.16.1.160 went offline? THis is on a Cisco ASA 5525 iOS 9.8.4.35. I just added another aaa-server on the inside interface, but when the 172.16.1.160 was down, it just failed out.

aaa-server DuoRadius protocol radius

aaa-server DuoRadius (inside) host 172.16.1.160

timeout 60

key XXXX

authentication-port 1812

no mschapv2-capable

!

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN_Users

authentication-server-group DuoRadius

Rob Ingram · ‎06-15-2021

Hi@Travis-Fleming

You should just have to add another radius server in the same radius group.

Is the new duo proxy server setup correctly to authenticate users from the ASA?

Does the duo auth proxy even receive the authentication request?

Have you run a test from the CLI to confirm the authentication requests are sent?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98594-configure-radius-authentication.html

You can use the test command on the command line in order to test your AAA setup. A test request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication RAD_SVR_GRP host 192.168.1.2 username kate password cisco123
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
INFO: Authentication Successful

View solution in original post

Rob Ingram · ‎06-15-2021

Hi@Travis-Fleming

You should just have to add another radius server in the same radius group.

Is the new duo proxy server setup correctly to authenticate users from the ASA?

Does the duo auth proxy even receive the authentication request?

Have you run a test from the CLI to confirm the authentication requests are sent?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98594-configure-radius-authentication.html

You can use the test command on the command line in order to test your AAA setup. A test request is sent to the AAA server, and the result appears on the command line.

ciscoasa#test aaa-server authentication RAD_SVR_GRP host 192.168.1.2 username kate password cisco123
INFO: Attempting Authentication test to IP address <192.168.1.2> (timeout: 12 seconds)
INFO: Authentication Successful

Travis-Fleming · ‎06-15-2021

Yeah the proxy servers both successfully authenticate me if I designate them individually within the group. I tried adding another line for:

"aaa-server DuoRadius (inside) host 172.16.1.161" and the items that went below it, but when the .160 was down (when I took it offline), it failed to pass along the request according to the logs on the ASA. Or is there a different way? The config I had was below. When I took .160 offline, the asa logs showed me it never tried to send to .161.

aaa-server DuoRadius protocol radius

aaa-server DuoRadius (inside) host 172.16.1.160

timeout 60

key XXXX

authentication-port 1812

no mschapv2-capable

!

aaa-server DuoRadius (inside) host 172.16.1.161

timeout 60

key XXXX

authentication-port 1812

no mschapv2-capable

!

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN_Users

authentication-server-group DuoRadius

Travis-Fleming · ‎06-15-2021

I lied, it worked to do that, but I had to be patient. It took it a good 20-30 seconds before it used the other AAA server. The commands I have placed in my previous response are what I have. Thanks Rob.