Options
Radius service single point of failure (AD).
saddayz
Member Posts: 29 ■□□□□□□□□□
Deployed Radius M$ NPS service on CISCO devices. The AAA configuration (is default as usual). First to check for radius reachability, and then if the both radius servers is unavailable check in LOCAL db.
The main concern is what to do if the communication between a radius and AD (active directory) is down. In that case the radius is still reachable and sending the connection rejects because cant connect to AD.
Maybe you have some ideas how to be ready for that disaster ? For example in that worst-case-scenario it'd be nice to have a possiblity to disable the radius service, and then use LOCAL accounts on devices. But we're thinking of scenario where we couldn't turn of the radius service. So maybe any advices ?
One solution was on the devices where radius servers is connected - do the LOCAL authentification first and then RADIUS, but on NX-OS devices this configuration is not possible.
The other nice thing would be, that if NPS can't connect to the AD - it would not send the access REJECTS.
Thanks.
The main concern is what to do if the communication between a radius and AD (active directory) is down. In that case the radius is still reachable and sending the connection rejects because cant connect to AD.
Maybe you have some ideas how to be ready for that disaster ? For example in that worst-case-scenario it'd be nice to have a possiblity to disable the radius service, and then use LOCAL accounts on devices. But we're thinking of scenario where we couldn't turn of the radius service. So maybe any advices ?
One solution was on the devices where radius servers is connected - do the LOCAL authentification first and then RADIUS, but on NX-OS devices this configuration is not possible.
The other nice thing would be, that if NPS can't connect to the AD - it would not send the access REJECTS.
Thanks.