check multiple RADIUS servers for AAA?

That's default for most of AAA implementations, I came across.

Did you try it out?

No I did not try it yet, but when reading through the docs I see mentioned things like "deadtime" etc, which lead me to believe that the mechanism is mainly for failover.

Our current config is like this:

aaa new-model

aaa authentication login default local aaa authentication ppp default local group radius aaa authorization network default if-authenticated aaa accounting network default start-stop group radius

radius server dc.example.com address ipv4 192.168.2.1 auth-port 1812 acct-port 1813 timeout 1 retransmit 3 key 7 [encrypted pw]

This authenticates the ppp sessions with a MS IAS server. Now I like to migrate the users to a Vasco server that checks codes output by keyfob tokens. But not all on the same day :-)

I think I need to setup a radius group, but from the docs I do not see a defined ordering of servers in a group, so that I can control which server is tried first. Maybe it tries them top-to-bottom, I have to test.

Hopefully someone knows the answer so I don't have to wire up the whole thing and then find that it cannot be done this way...

ISTR from setting up Vasco auth with an ASA that the Vasco stuff was horrendously complex /but/ very flexible as well. I think you could easily enough point the router at just your Vasco service and get the Vasco service to require a token for a given user [or not], or make the distinction in the AD that backs the Vasco service [if applicable].

But surely you were going to test this in the lab first, right?

You mean that the vasco server can be configured to relay the request to the IAS server when it cannot validate the request itself? I will see if that is possible.

Unfortunately I have no lab with sufficient equipment to test this. But I can test at a time the system is not in use and rollback when it does not work. I only want to save myself the effort when someone says "that cannot be done within the cisco, no need to try", in which case I would have investigated the option you gave above, or the option to put another server in between that could do it.

No, I didn't mean that [but I don't know that it /can't/ do that]. What I meant was, point the Vasco service at the same place to get its users as the IAS uses currently. As I said, last time I looked at Identikey, it had about a bajillion options so it should be possible.

We have the Vasco service installed with AD integration. This means it stores its user accounts and attributes in the AD, but as far as I know I still need to create a Vasco account for every user that uses a token, by assigning a free token to that user. That will add some information to the AD for that user.

At that time, it is possible to assign a temporary static password to the user, that can be used instead of the token code until the user first logs in using a valid token code. At that time (or after a preset grace period), the static password no longer can be used.

However, when I want to do a smooth migration, I would have to assign the users a new static password and tell it to them, or ask the users to give their AD password and put it in the static password field of the Vasco tabs in Users&Computers.

I don't know about a method to tell the Vasco software to "do identikey valdiation on all the users it knows about and validate the remaining users through AD info". Which is what I should be able to do by configuring two RADIUS servers in the router.