Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

**** REMOTE ACCESS VPN WITH RSA AUTH MANAGER***

Hi all,

            I am currently working on this project to migrate our current working RSA Auth Manager server from our Branch to the DC. Since the current RSA server is quite old,  i have decided to build a new one with 8.0 Manager. The new server has been configured, and new token has been uploaded to it as well. Now it's time to tight new server with the ASA VPN tunnel. My goal is to tight the new server with the tunnel without disrupting traffic with the old server(I don't know a few settings for the old server usch as radius password;therefore, if i take the risk of delete or make any change, i may not be able to get it to work). I know the commands to type, but my question is since the old server will be at the top, how would i go to send authentication request to the second server on the list, in this case my newly added RSA server?

I also would like to keep the old server running while i am testing 8.0 server. Would like to keep the old server for up to 3 months;therefore, would like to have both servers authenticate clients..

That's the challenge that i am facing,

Thank you all for the help,

3 REPLIES
Cisco Employee

**** REMOTE ACCESS VPN WITH RSA AUTH MANAGER***

Jean Paul,

If the RADIUS key is in the config you can still get it out... from proviliged exec:

 more system:running-config

If you want to go to the next server on the list, you can use aaa-server priviliged exec command to switch the server on and off.

aaa-server TEST fail host 1.2.3.4

However please be aware of the re-activation mode you have (timed or depletion) it looks like you might need to use "depletion" mode in your case.

HTH,

M.

Community Member

**** REMOTE ACCESS VPN WITH RSA AUTH MANAGER***

Thanks Marcin.

I have infact get the key from the config for the current RSA MA server, but i am still reluctant to just remove the server since i am still testing. Therefore, i don't want to touch that server till i am 100% certain the new one is configured and runninf properly.

As per priority, i have tried the fail/active command in the ASA.

i have issued:

     aaa-server rsa fail host 192.168.xx.x1

     aaa-server rsa2 active host 192.16x.xx.x2

But since rsa(192.168.3.41) is that the top of the list,when i tried(test) to authenticate, it becomes active on his own. The packets never made it to rsa2!!

Any other ideas??

Thanks,

Cisco Employee

**** REMOTE ACCESS VPN WITH RSA AUTH MANAGER***

As I said, you need to check the ractivation method (depletion or timed).

Also In your case the servers are in different group (rsa and rsa2) so they do not form a logical list.

182
Views
0
Helpful
3
Replies
CreatePlease to create content