cancel
Showing results for 
Search instead for 
Did you mean: 

Backup Auth server

Aidar5
Occasional Contributor

Backup Auth server

Hello all,

I tested authentication via backup Auth server ( RSA manager configured) while the primary RSA was upgrading. I was able to authenticate from user perspective but I didn't find evidences that I was authenticated by backup Auth server.

Here is the user log from Pulse Secure SA4500:
Info PTR23276 2017/03/21 04:40:24 - ZZFDC2VPN2 - [****] - Gucci::CON-khairullin.aida(EMEA-RSA)[] - Password realm restrictions successfully passed for CON-khairullin.aida/EMEA-RSA
Info PTR23276 2017/03/21 04:40:24 - ZZFDC2VPN2 - [****] - Gucci::CON-khairullin.aida(EMEA-RSA)[] - Password realm restrictions successfully passed for CON-khairullin.aida/EMEA-RSA
Info PTR23370 2017/03/21 04:40:24 - ZZFDC2VPN2 - [****] - Gucci::CON-khairullin.aida(EMEA-RSA)[] - Attempting to authenticate user "CON-khairullin.aida" with auth server "RSA"
Info PTR22834 2017/03/21 04:40:54 - ZZFDC2VPN2 - ****:Smiley Frustratedystem()[] - Radius Server RSA: Login failed for CON-khairullin.aida because host 172.25.193.230:1812 is unreachable.
Info PTR23344 2017/03/21 04:40:56 - ZZFDC2VPN2 - [****] - Gucci::CON-khairullin.aida(EMEA-RSA)[] - Authentication successful to auth server "RSA"

As you can see the authentication failed via Primary server but then just notification that authentication successful.

Does it mean that I was authenticated via backup server? Is there another way to check it on SSLVPN device?
4 REPLIES 4
kapilaks1
Contributor

Re: Backup Auth server

The only way to check the authentication here is to check the logs on Back up Radius server. This is because when you configure Auth Server, you configure it with name and logs show the Auth server name. As both the Radius servers are configured under same Auth server name hence doesn't show the specific Radius server name in logs.
Aidar5
Occasional Contributor

Re: Backup Auth server

Thank you for you reply. Unfortunately, I didn't manage to check logs on backup auth server because primary and backup auth servers quickly replicated .
zanyterp
Moderator

Re: Backup Auth server

Is that IP the one that was being upgraded?
You are correct that if a backup auth server is used, for RADIUS or LDAP, it is not recorded which one was used.
Aidar5
Occasional Contributor

Re: Backup Auth server

Yes, 172.25.193.230 is it a Primary IP of Raduis.
Thank you.