Posted: 9/1/2011 11:06:37 AM EDT
| Its been a long time since i've done this stuff on an ASA, mostly I deal with Fortigate appliances now so I am a little rusty. We have a client who has two separate domains - their 'production' domain & a 'clients development' domain. They have DC's for each on their DMZ. We want to set up their new - used ASA 5520 to authenticate VPN users against both domains . I tried adding both servers as AAA servers in the remote access VPN configuration, but it only will authenticate against the first. Seems like there's no 'if the first fails, try the second' logic built in to the ASA. Is there a way to do this natively on the ASA, or do I have to set up a domain trust so the one DC can authenticate for both domains? |
|
Can you add multiple servers to the AAA group and then add it like normal to the tunnel-group, for example:
aaa-server DC_Group protocol radius aaa-server DC_Group (DMZ1) host 10.20.1.1 timeout 30 key ***** authentication-port 1812 accounting-port 1813 aaa-server DC_Group (DMZ2) host 10.20.2.1 timeout 30 key ***** authentication-port 1812 accounting-port 1813 tunnel-group RA type remote-access tunnel-group RA general-attributes address-pool vpn-pool authentication-server-group DC_group authorization-server-group DC_group accounting-server-group DC_group |
