Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I need to configure a redundant IPSec Connection Profile

I'm moving off of a single RADIUS server on a Windows 2003 domain controller, and onto a pair of Network Access Protection / Network Policy domain controllers on Windows 2008 servers.

I've set up the Windows server side. My questions are regarding the configuration on the Cisco 5520 ASA.

I am trying to configure the pair of servers in the AAA Server Group so that if one fails, the other will provide authentication for remote VPN users.

The remote users are all using the latest version of the Cisco VPN client to connect.

1) Am I correct in understanding that the default behavior of having multiple servers listed in an AAA Server Group will result in the next one in the list used for remote authentication if the first one fails to respond? In other words,do I need to do anything other than having that second server in the list to provide simple redundancy?

2) Having configured a new AAA Server Group and already having a Group Policy, am I correct in assuming that all I have to do to switch to the new configuration is to go to the current IPsec Connection Profile and use the drop down menu to select the new User Authentication Server Group? The reason I ask is because

3) In IPsec Connection Profiles, under a specific profile, under Advanced, under Authentication, the heading says "Interface-Specific Authentication Server Groups", and it looks like we can set or override the Server Group. Currently I am thinking I can leave this Advanced setting blank, because we have another correctly working Connection Profile that allows remote iPhones to connect, and it has nothing in this setting.

Everyone's tags (5)