check multiple RADIUS servers for AAA?

Discussion in 'Cisco' started by Rob, Dec 30, 2012.

  1. Rob

    Rob Guest

    Is it possible to configure multiple RADIUS servers for
    AAA authentication of ppp sessions in such a way that the
    authentication result is the logical OR of the queries?

    I.e., the router always queries SERVER1 first, and when it
    returns an ACCEPT, the user is authenticated.
    When it returns a REJECT, SERVER2 is queried and when it
    returns an ACCEPT, the user is authenticated.
    When it returns a REJECT too, the access is denied.

    I have read about configuring multiple radius servers but
    I get the impression that it is for redundancy/fallback.
    Will the router try the other server when it gets a REJECT,
    or only when it times out on the first server?

    I want to use this configuration to gradually migrate users
    from one authentication method to another.
    Rob, Dec 30, 2012
    #1
    1. Advertising

  2. * Rob wrote:
    > Is it possible to configure multiple RADIUS servers for
    > AAA authentication of ppp sessions in such a way that the
    > authentication result is the logical OR of the queries?
    >
    > I.e., the router always queries SERVER1 first, and when it
    > returns an ACCEPT, the user is authenticated.
    > When it returns a REJECT, SERVER2 is queried and when it
    > returns an ACCEPT, the user is authenticated.
    > When it returns a REJECT too, the access is denied.


    That's default for most of AAA implementations, I came across.

    > Will the router try the other server when it gets a REJECT,
    > or only when it times out on the first server?


    Did you try it out?
    Lutz Donnerhacke, Dec 30, 2012
    #2
    1. Advertising

  3. Rob

    Rob Guest

    Lutz Donnerhacke <> wrote:
    > * Rob wrote:
    >> Is it possible to configure multiple RADIUS servers for
    >> AAA authentication of ppp sessions in such a way that the
    >> authentication result is the logical OR of the queries?
    >>
    >> I.e., the router always queries SERVER1 first, and when it
    >> returns an ACCEPT, the user is authenticated.
    >> When it returns a REJECT, SERVER2 is queried and when it
    >> returns an ACCEPT, the user is authenticated.
    >> When it returns a REJECT too, the access is denied.

    >
    > That's default for most of AAA implementations, I came across.
    >
    >> Will the router try the other server when it gets a REJECT,
    >> or only when it times out on the first server?

    >
    > Did you try it out?


    No I did not try it yet, but when reading through the docs
    I see mentioned things like "deadtime" etc, which lead me
    to believe that the mechanism is mainly for failover.

    Our current config is like this:

    aaa new-model

    aaa authentication login default local
    aaa authentication ppp default local group radius
    aaa authorization network default if-authenticated
    aaa accounting network default start-stop group radius

    radius server dc.example.com
    address ipv4 192.168.2.1 auth-port 1812 acct-port 1813
    timeout 1
    retransmit 3
    key 7 [encrypted pw]


    This authenticates the ppp sessions with a MS IAS server.
    Now I like to migrate the users to a Vasco server that
    checks codes output by keyfob tokens. But not all on the
    same day :)

    I think I need to setup a radius group, but from the docs
    I do not see a defined ordering of servers in a group, so
    that I can control which server is tried first. Maybe it
    tries them top-to-bottom, I have to test.

    Hopefully someone knows the answer so I don't have to wire
    up the whole thing and then find that it cannot be done this
    way...
    Rob, Dec 30, 2012
    #3
  4. Rob

    Rob Guest

    alexd <> wrote:
    > Rob (for it is he) wrote:
    >
    >> This authenticates the ppp sessions with a MS IAS server.
    >> Now I like to migrate the users to a Vasco server that
    >> checks codes output by keyfob tokens.

    >
    > ISTR from setting up Vasco auth with an ASA that the Vasco stuff was
    > horrendously complex /but/ very flexible as well. I think you could easily
    > enough point the router at just your Vasco service and get the Vasco
    > service to require a token for a given user [or not], or make the
    > distinction in the AD that backs the Vasco service [if applicable].


    You mean that the vasco server can be configured to relay the request
    to the IAS server when it cannot validate the request itself?
    I will see if that is possible.

    >> Hopefully someone knows the answer so I don't have to wire
    >> up the whole thing and then find that it cannot be done this
    >> way...

    >
    > But surely you were going to test this in the lab first, right?


    Unfortunately I have no lab with sufficient equipment to test this.
    But I can test at a time the system is not in use and rollback
    when it does not work. I only want to save myself the effort when
    someone says "that cannot be done within the cisco, no need to try",
    in which case I would have investigated the option you gave above,
    or the option to put another server in between that could do it.
    Rob, Dec 30, 2012
    #4
  5. Rob

    Rob Guest

    alexd <> wrote:
    > Rob (for it is he) wrote:
    >
    >> You mean that the vasco server can be configured to relay the request
    >> to the IAS server when it cannot validate the request itself?
    >> I will see if that is possible.

    >
    > No, I didn't mean that [but I don't know that it /can't/ do that]. What I
    > meant was, point the Vasco service at the same place to get its users as the
    > IAS uses currently. As I said, last time I looked at Identikey, it had about
    > a bajillion options so it should be possible.


    We have the Vasco service installed with AD integration. This means
    it stores its user accounts and attributes in the AD, but as far as
    I know I still need to create a Vasco account for every user that uses
    a token, by assigning a free token to that user. That will add some
    information to the AD for that user.

    At that time, it is possible to assign a temporary static password to
    the user, that can be used instead of the token code until the user
    first logs in using a valid token code. At that time (or after a
    preset grace period), the static password no longer can be used.

    However, when I want to do a smooth migration, I would have to assign
    the users a new static password and tell it to them, or ask the users
    to give their AD password and put it in the static password field of
    the Vasco tabs in Users&Computers.

    I don't know about a method to tell the Vasco software to "do identikey
    valdiation on all the users it knows about and validate the remaining
    users through AD info". Which is what I should be able to do by
    configuring two RADIUS servers in the router.
    Rob, Dec 31, 2012
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rafael

    Multiple RADIUS Servers

    Rafael, May 20, 2004, in forum: Cisco
    Replies:
    0
    Views:
    516
    Rafael
    May 20, 2004
  2. Eric

    Multiple radius servers

    Eric, Feb 24, 2005, in forum: Cisco
    Replies:
    1
    Views:
    895
  3. Chris_D
    Replies:
    4
    Views:
    3,395
    Chris_D
    Aug 1, 2005
  4. Dovelet
    Replies:
    6
    Views:
    2,985
  5. Giuen
    Replies:
    0
    Views:
    680
    Giuen
    Sep 12, 2008
Loading...

Share This Page