To provide AAA high availability in your environment you should deploy at least two redundant aaa servers in your infrastructure. Cisco ASA threats servers as active/passive pair, so in case primary severs goes down the secondary takes over.
The aaa configuration on ASA is very simple.
aaa-server AAA_RADIUS protocol radius
aaa-server AAA_RADIUS (inside) host 10.0.0.10
key radiuskey
aaa-server AAA_RADIUS (inside) host 10.0.0.11
key radiuskey
In this configuration which, is default configuration, when primary server (10.0.0.10) goes down, secondary (10.0.0.11) takes over. But you must be aware that when servers goes down it will not automatically come up. You must manually enable server with the following command.
aaa-server AAA_RADIUS active host 10.0.0.10
This is not very scalable and user friendly to check your servers status every day on your firewalls. So what options do you have.
You can configure some sort of notification to alert you when server goes down. One of the many options is e-mail notification on the ASA. The configuration example is provided bellow.
logging enable
logging timestamp
logging list radius_list message 113022
logging mail radius_list
logging from-address asa@example.com
logging recipient-address admin@example.com
smtp-server smtp.example.com
The other option is to configure your ASA to automatically try to move server to the ACTIVE state after 30 seconds (unfortunately this could not be changed). This is simple one line command.
aaa-server AAA_RADIUS protocol radius
reactivation-mode timed
You can use show aaa-server command to check server status.
Server Group: AAA_RADIUS
Server Protocol: radius
Server Address: 10.0.0.10
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE (admin initiated)
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 10
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 10
Number of rejects 10
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Server Group: AAA_RADIUS
Server Protocol: radius
Server Address: 10.0.0.11
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE (admin initiated)
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 10
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 10
Number of rejects 10
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
113022 message description
Error Message
%ASA-2-113022: AAA Marking RADIUS server servername in aaa-server group AAA-Using-DNS as FAILED
Explanation
The ASA has tried an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server will be marked as failed and has been removed from service.
- protocol - The type of authentication protocol, which can be one of the following:
- RADIUS
- TACACS+
- NT
- RSA SecurID
- Kerberos
- LDAP
- ip-addr—The IP address of the AAA server
- tag—The server group name
Verify that the AAA server is online and is accessible from the ASA.
No comments:
Post a Comment