Skip to main content

 

 

Cisco Defense Orchestrator

Create or Edit an ASA RADIUS Server Object or Group

About RADIUS Server Objects or Groups

When you create or edit an identity source object such as a RADIUS server object or a group of RADIUS server objects, CDO sends the configuration request to ASA devices through the SDC. 

Create a RADIUS Server Object

RADIUS servers provide AAA (authentication, authorization, and accounting) services.

Use the following procedure to create an object:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object (blue_cross_button.png) >   RA VPN Objects (ASA & FTD) Identity Source
  3. Enter an Object name for the object.
  4. Select the Device Type as ASA.
  5. Select RADIUS Server as the Identity Source Type. Click Continue.
  6. Edit the Identity Source configuration with the following properties:
  • Server Name or IP Address - The fully-qualified host name (FQDN) or IP address of the server.
  • Authentication Port (Optional) - The port on which RADIUS authentication and authorization are performed. The default is 1812.
  • Timeout - The length of time, 1-300 seconds, that the system waits for a response from the server before sending the request to the next server. The default is 10 seconds.
  • Enter the Server Secret Key(Optional) - The shared secret that is used to encrypt data between the ASA device and the RADIUS server. The key is a case-sensitive, alphanumeric string of up to 64 characters, with no spaces. The key must start with an alphanumeric character or an underscore, and it can contain the special characters: $ & - _ . + @. The string must match the one configured on the RADIUS server. If you do not configure a secret key, the connection is not encrypted. 
  1. Click Add
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Create a RADIUS Server Group

A RADIUS server group contains one or more RADIUS server objects. The servers within a group must be copies of each other. These servers form a chain of backup servers, so that if the first server is unavailable, the system can try the next server in the list.

Use the following procedure to create an object group:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object (blue_cross_button.png)  RA VPN Objects (ASA & FTD)  > Identity Source.
  3. Enter an Object name for the object.
  4. Select the Device Type as ASA.
  5. Select RADIUS Server Group as the Identity Source Type. Click Continue.
  6. Edit the Identity Source configuration with the following properties:
  • Dead Time - Failed servers are reactivated only after all servers have failed. The dead time is how long to wait after the last server fails before reactivating all servers. 
  • Maximum Failed Attempts - The number of failed requests (that is, requests that do not get a response) sent to a RADIUS server in the group before trying the next server. When the maximum number of failed attempts is exceeded, the system marks the server as Failed.
    For a given feature, if you configured a fallback method using the local database, and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for the duration of the dead time so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. 
  • Dynamic Authorization/Port (Optional) - If you enable RADIUS dynamic authorization or change of authorization (CoA) services for this RADIUS server group, the group will be registered for CoA notification and listen on the specified port for CoA policy updates from Cisco Identity Services Engine (ISE). Enable dynamic authorization only if you are using this server group in a remote access VPN in conjunction with ISE.
  1. Select an AD realm that supported the RADIUS server from the drop-down menu. If you have not already created an AD realm, click Create from inside the drop-down menu.
  2. Click the RADIUS SERVER Add button blue_cross_button.png to add existing RADIUS server objects. Optionally, you can create a new RADIUS server object from this window is necessary. 

Note: Add these objects in priority, as the first server in the list is used until it is unresponsive. ASA then defaults to the next server in the list. 

  1. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Edit a Radius Server Object or Group

Use the following procedure to edit a Radius server object or Radius server group:

  1. From the CDO navigation bar, click Objects.

  2. Locate the object you want to edit by using object filters and search field.
  3. Select the object you want to edit.
  4. Click the edit icon edit.png in the Actions pane of the details panel.
  5. Edit the values in the dialog box in the same fashion that you created them in the procedures above. To edit or test the hostname/IP address or encryption information, expand the configuration bar. 
  6. Click Save
  7. CDO displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.
  8. Review and deploy now the changes you made, or wait and deploy multiple changes at once.
  • Was this article helpful?