Cisco RAS check two different RADIUS servers

Discussion in 'Cisco' started by Dovelet, Nov 30, 2005.

  1. Dovelet

    Dovelet Guest

    Hi all,

    I am using a Cisco 2600 router as a RAS for remote users to connect the
    network through dial-up modem. I have two RADIUS servers with two
    different users database. Is it possible to configure the router so
    that it will check the 1st RADIUS server first and if the user is not
    in this RADIUS server, it will check the 2nd RADIUS server? Please note
    that both of the RADIUS servers are UP and running. Thanks.

    Regards,
    Dovelet
     
    Dovelet, Nov 30, 2005
    #1
    1. Advertising

  2. Dovelet

    Merv Guest

    try something like :

    aaa group server radius RADIUS_SERVERS
    server x.x.x.x ! 1st RADIUS server
    server y.y.y.y ! 2nd RADIUS server
    exit

    aaa authentication login default group RADIUS_SERVERS
     
    Merv, Dec 1, 2005
    #2
    1. Advertising

  3. Merv wrote:
    > try something like :
    >
    > aaa group server radius RADIUS_SERVERS
    > server x.x.x.x ! 1st RADIUS server
    > server y.y.y.y ! 2nd RADIUS server
    > exit
    >
    > aaa authentication login default group RADIUS_SERVERS
    >


    this wouldn't work for the purposes of the original poster because the
    2nd server will only be contacted from the NAS in the case that the 1st
    server did not answer - neither ACCEPT nor REJECT (it is a fallback for
    serverburnings and something like that ;). as long as the NAS receive
    ACCEPTs or REJECTs from an particular RADIUS server, it will not change
    to an other one. the desired "server hopping" has to be done outside
    from the NAS.

    --gerald
     
    Gerald Krause, Dec 1, 2005
    #3
  4. Dovelet

    Dovelet Guest

    Hi,

    What is "server hopping"? Do you mean I need an external server to do
    so?

    Regards,
    Dovelet
     
    Dovelet, Dec 1, 2005
    #4
  5. Dovelet wrote:
    > Hi,
    >
    > What is "server hopping"? Do you mean I need an external server to do
    > so?


    correct, something like this:

    .. -----> RADIUS1
    .. /
    .. NAS --> PROXY
    .. \
    .. -----> RADIUS2


    or

    .. NAS --> RADIUS1/PROXY --> RADIUS2

    if your favourite RADIUS server has the feature you are looking for
    already integrated.


    --gerald
     
    Gerald Krause, Dec 1, 2005
    #5
  6. Dovelet

    Vivek Guest

    A Router will look at the second radius server only if the first is not
    responding. If the first responds with a Access reject then the request
    would not go to the second radius server.

    You will have to configure your primary radius server to forward the
    request.
     
    Vivek, Dec 1, 2005
    #6
  7. Dovelet

    Guest

    Vivek wrote:
    > A Router will look at the second radius server only if the first is not
    > responding. If the first responds with a Access reject then the request
    > would not go to the second radius server.
    >
    > You will have to configure your primary radius server to forward the
    > request.


    There is a way to have the user choose which RADUIS server to
    authenticate with via the command 'tacacs-server directed-request' on
    the RAS but you need to specify the RADIUS server you would like to
    authenticate within the username field. For example user@raduisIP and
    the router will strip the @radiusIP and send just the username to the
    appropriate radius server. Probably not going to help but figured I'd
    thow it out there just in case it could be an option for you.
     
    , Dec 1, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GS
    Replies:
    8
    Views:
    21,393
  2. Pichi_b
    Replies:
    1
    Views:
    809
    Pichi_b
    Mar 30, 2007
  3. Tony
    Replies:
    0
    Views:
    511
  4. Anthony
    Replies:
    0
    Views:
    331
    Anthony
    Dec 18, 2003
  5. Rob
    Replies:
    4
    Views:
    533
Loading...

Share This Page