check multiple RADIUS servers for AAA?

Discussion in 'Cisco' started by Rob, Dec 30, 2012.

  1. Rob

    Rob Guest

    Is it possible to configure multiple RADIUS servers for
    AAA authentication of ppp sessions in such a way that the
    authentication result is the logical OR of the queries?

    I.e., the router always queries SERVER1 first, and when it
    returns an ACCEPT, the user is authenticated.
    When it returns a REJECT, SERVER2 is queried and when it
    returns an ACCEPT, the user is authenticated.
    When it returns a REJECT too, the access is denied.

    I have read about configuring multiple radius servers but
    I get the impression that it is for redundancy/fallback.
    Will the router try the other server when it gets a REJECT,
    or only when it times out on the first server?

    I want to use this configuration to gradually migrate users
    from one authentication method to another.
    Rob, Dec 30, 2012
    1. Advertisements

  2. That's default for most of AAA implementations, I came across.
    Did you try it out?
    Lutz Donnerhacke, Dec 30, 2012
    1. Advertisements

  3. Rob

    Rob Guest

    No I did not try it yet, but when reading through the docs
    I see mentioned things like "deadtime" etc, which lead me
    to believe that the mechanism is mainly for failover.

    Our current config is like this:

    aaa new-model

    aaa authentication login default local
    aaa authentication ppp default local group radius
    aaa authorization network default if-authenticated
    aaa accounting network default start-stop group radius

    radius server
    address ipv4 auth-port 1812 acct-port 1813
    timeout 1
    retransmit 3
    key 7 [encrypted pw]

    This authenticates the ppp sessions with a MS IAS server.
    Now I like to migrate the users to a Vasco server that
    checks codes output by keyfob tokens. But not all on the
    same day :)

    I think I need to setup a radius group, but from the docs
    I do not see a defined ordering of servers in a group, so
    that I can control which server is tried first. Maybe it
    tries them top-to-bottom, I have to test.

    Hopefully someone knows the answer so I don't have to wire
    up the whole thing and then find that it cannot be done this
    Rob, Dec 30, 2012
  4. Rob

    Rob Guest

    You mean that the vasco server can be configured to relay the request
    to the IAS server when it cannot validate the request itself?
    I will see if that is possible.
    Unfortunately I have no lab with sufficient equipment to test this.
    But I can test at a time the system is not in use and rollback
    when it does not work. I only want to save myself the effort when
    someone says "that cannot be done within the cisco, no need to try",
    in which case I would have investigated the option you gave above,
    or the option to put another server in between that could do it.
    Rob, Dec 30, 2012
  5. Rob

    Rob Guest

    We have the Vasco service installed with AD integration. This means
    it stores its user accounts and attributes in the AD, but as far as
    I know I still need to create a Vasco account for every user that uses
    a token, by assigning a free token to that user. That will add some
    information to the AD for that user.

    At that time, it is possible to assign a temporary static password to
    the user, that can be used instead of the token code until the user
    first logs in using a valid token code. At that time (or after a
    preset grace period), the static password no longer can be used.

    However, when I want to do a smooth migration, I would have to assign
    the users a new static password and tell it to them, or ask the users
    to give their AD password and put it in the static password field of
    the Vasco tabs in Users&Computers.

    I don't know about a method to tell the Vasco software to "do identikey
    valdiation on all the users it knows about and validate the remaining
    users through AD info". Which is what I should be able to do by
    configuring two RADIUS servers in the router.
    Rob, Dec 31, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.