2014/01/03

AAA server redundancy on Cisco ASA


To provide AAA high availability in your environment you should deploy at least two redundant aaa servers in your infrastructure. Cisco ASA threats servers as active/passive pair, so in case primary severs goes down the secondary takes over.

The aaa configuration on ASA is very simple.

aaa-server AAA_RADIUS protocol radius
aaa-server AAA_RADIUS (inside) host 10.0.0.10
 key radiuskey
aaa-server AAA_RADIUS (inside) host 10.0.0.11
 key radiuskey


In this configuration which, is default configuration, when primary server (10.0.0.10) goes down, secondary (10.0.0.11) takes over. But you must be aware that when servers goes down it will not automatically come up. You must manually enable server with the following command.

aaa-server AAA_RADIUS active host 10.0.0.10
This is not very scalable and user friendly to check your servers status every day on your firewalls. So what options do you have.

You can configure some sort of notification to alert you when server goes down. One of the many options is e-mail notification on the ASA. The configuration example is provided bellow.

logging enable
logging timestamp
logging list radius_list message 113022
logging mail radius_list
logging from-address asa@example.com
logging recipient-address admin@example.com
smtp-server smtp.example.com

The other option is to configure your ASA to automatically try to move server to the ACTIVE state after 30 seconds (unfortunately this could not be changed). This is simple one line command.

aaa-server AAA_RADIUS protocol radius
 reactivation-mode timed


You can use show aaa-server command to check server status.

Server Group:    AAA_RADIUS
Server Protocol: radius
Server Address:  10.0.0.10
Server port:     1645(authentication), 1646(accounting)
Server status:   ACTIVE (admin initiated)
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       10
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       10
Number of rejects                       10
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0

Server Group:    AAA_RADIUS
Server Protocol: radius
Server Address:  10.0.0.11
Server port:     1645(authentication), 1646(accounting)
Server status:   ACTIVE (admin initiated)
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       10
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       10
Number of rejects                       10
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0




113022 message description

Error Message
%ASA-2-113022: AAA Marking RADIUS server servername in aaa-server group AAA-Using-DNS as FAILED

Explanation

The ASA has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server will be marked as failed and has been removed from service.

  • protocol - The type of authentication protocol, which can be one of the following:
    • RADIUS
    • TACACS+
    • NT
    • RSA SecurID
    • Kerberos
    • LDAP
  • ip-addr—The IP address of the AAA server 
  • tag—The server group name
Recommended Action
Verify that the AAA server is online and is accessible from the ASA.