Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
0
Replies

Should I do that?

Vitor Stefaneli
Level 1
Level 1

‎11-25-2014 03:55 PM

I was wondering if I will not compromisse the users sessions VPN (anyconnect), that is, close their conections if I change some Server Group (Radius) parameters on ASA:

ciscoasa(config)# aaa-server AuthOutbound protocol radius

ciscoasa(config-aaa-server-group)# max-failed-attempts 5

ciscoasa(config-aaa-server-group)# reactivation-mode depletion 2

 

I have no time to test that on lab environment and neeed to change the timeout!! oO

Help!

 

Parameters complete description (from config guide) :

Step 3

max-failed-attempts number
 

ciscoasa(config-aaa-server-group)# max-failed-attempts 2

Specifies the maximum number of requests sent to a RADIUS server in the group before trying the next server. The number argument can range from 1 and 5. The default is 3.

If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.

If you do not have a fallback method, the ASA continues to retry the servers in the group.

Step 4

reactivation-mode { depletion [ deadtime minutes ] | timed }
 

ciscoasa(config-aaa-server-group)# reactivation-mode deadtime 20

Specifies the method (reactivation policy) by which failed servers in a group are reactivated.

The depletion keyword reactivates failed servers only after all of the servers in the group are inactive.

The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. The default is 10 minutes.

The timed keyword reactivates failed servers after 30 seconds of down time.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html

 

 


 

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents