Cisco RAS check two different RADIUS servers

try something like :

aaa group server radius RADIUS_SERVERS server x.x.x.x ! 1st RADIUS server server y.y.y.y ! 2nd RADIUS server exit

aaa authentication login default group RADIUS_SERVERS

this wouldn't work for the purposes of the original poster because the

2nd server will only be contacted from the NAS in the case that the 1st server did not answer - neither ACCEPT nor REJECT (it is a fallback for serverburnings and something like that ;). as long as the NAS receive ACCEPTs or REJECTs from an particular RADIUS server, it will not change to an other one. the desired "server hopping" has to be done outside from the NAS.

--gerald

Hi,

What is "server hopping"? Do you mean I need an external server to do so?

Regards, Dovelet

correct, something like this:

. -----> RADIUS1 . / . NAS --> PROXY . \\ . -----> RADIUS2

or

. NAS --> RADIUS1/PROXY --> RADIUS2

if your favourite RADIUS server has the feature you are looking for already integrated.

--gerald

A Router will look at the second radius server only if the first is not responding. If the first responds with a Access reject then the request would not go to the second radius server.

You will have to configure your primary radius server to forward the request.

There is a way to have the user choose which RADUIS server to authenticate with via the command 'tacacs-server directed-request' on the RAS but you need to specify the RADIUS server you would like to authenticate within the username field. For example user@raduisIP and the router will strip the @radiusIP and send just the username to the appropriate radius server. Probably not going to help but figured I'd thow it out there just in case it could be an option for you.