Cisco RAS check two different RADIUS servers

Discussion in 'Cisco' started by Dovelet, Nov 30, 2005.

  1. Dovelet

    Dovelet Guest

    Hi all,

    I am using a Cisco 2600 router as a RAS for remote users to connect the
    network through dial-up modem. I have two RADIUS servers with two
    different users database. Is it possible to configure the router so
    that it will check the 1st RADIUS server first and if the user is not
    in this RADIUS server, it will check the 2nd RADIUS server? Please note
    that both of the RADIUS servers are UP and running. Thanks.

    Dovelet, Nov 30, 2005
    1. Advertisements

  2. Dovelet

    Merv Guest

    try something like :

    aaa group server radius RADIUS_SERVERS
    server x.x.x.x ! 1st RADIUS server
    server y.y.y.y ! 2nd RADIUS server

    aaa authentication login default group RADIUS_SERVERS
    Merv, Dec 1, 2005
    1. Advertisements

  3. this wouldn't work for the purposes of the original poster because the
    2nd server will only be contacted from the NAS in the case that the 1st
    server did not answer - neither ACCEPT nor REJECT (it is a fallback for
    serverburnings and something like that ;). as long as the NAS receive
    ACCEPTs or REJECTs from an particular RADIUS server, it will not change
    to an other one. the desired "server hopping" has to be done outside
    from the NAS.

    Gerald Krause, Dec 1, 2005
  4. Dovelet

    Dovelet Guest


    What is "server hopping"? Do you mean I need an external server to do

    Dovelet, Dec 1, 2005
  5. correct, something like this:

    .. -----> RADIUS1
    .. /
    .. NAS --> PROXY
    .. \
    .. -----> RADIUS2


    .. NAS --> RADIUS1/PROXY --> RADIUS2

    if your favourite RADIUS server has the feature you are looking for
    already integrated.

    Gerald Krause, Dec 1, 2005
  6. Dovelet

    Vivek Guest

    A Router will look at the second radius server only if the first is not
    responding. If the first responds with a Access reject then the request
    would not go to the second radius server.

    You will have to configure your primary radius server to forward the
    Vivek, Dec 1, 2005
  7. Dovelet

    lobnetworks Guest

    There is a way to have the user choose which RADUIS server to
    authenticate with via the command 'tacacs-server directed-request' on
    the RAS but you need to specify the RADIUS server you would like to
    authenticate within the username field. For example [email protected] and
    the router will strip the @radiusIP and send just the username to the
    appropriate radius server. Probably not going to help but figured I'd
    thow it out there just in case it could be an option for you.
    lobnetworks, Dec 1, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.