Raduis IAS

dano992 used Ask the Experts™
The environment:
I have two domain controllers (DC1 and DC2) for one AD domain. only DC1 running IAS to provide Radius Authentication for network elements.
 Radius authentication works fine against this server.
IMy problem is that IF DC01  fails we loose radius

question 1 how easy would it be to get Radius on the second DC if the first fails
question 2  now that i think about the network elemets (switches , firewall, etc) are pointing to the radius on DC1, so thye would all need to be changed.

whats the best way to to go about this?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Some devices support a secondary radius server, but if it doesn't...

Your best bet is to create a DNS alias (CNAME or A) for your IAS, and input that name as the RADIUS server. If your create multiple DNS A-records with the same name, then authentication will take place at random between two servers.

If any of your IAS servers are unavailable, remove the record for the failed server. That at least saves you the trouble of updating all network devices.

If ALL of your domain controllers host RADIUS then you may also use the fully qualified domain name of your AD. That name will always resolve to any domain controller.

... that last part is just information, it's not my recommendation - I recommend creating dedicated resource records for services in general, not just IAS.


i think you missed my point here
if i wanted to create fault tolerance for my radius (IAS on dc1) how would i go about doing this
i have dc2
i can install IAS on these other 2 domain controllers, but what else would i need to do
how would i keep these IAS syncked?
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

You can export the complete IAS configuration (clients, policies, logging settings, connection request processing) with netsh:

netsh aaaa dump > filename.cfg

(this is a blob, no plain passwords)

Overwrite the configuration of another IAS with:

netsh exec filename.cfg

So make it procedure to make changes to IAS on one server, and copy the settings to other IAS server(s) with the above commands.


once i do that and configure the other domain controllers
how do i sync them

if a device is using dc1 to authenticate and its not available i want the device to automatically go to dc2
Configuring radius on the new server and getting the settings over there is step one, the second important step for the network devices would be to configure the second radius host, I can speak for cisco multiple radius host can be configured and are tried in order and if one fails the second is consulted and so on.  After configuring the devices they would need to be made radius clients of the second radius server, after configuring that you would have a fault tolerant setup.


what do you mean by:
"After configuring the devices they would need to be made radius clients of the second radius server,"

as of now all my device which are cisco are configured to use radius on dc1
if i configure radius  (IAS) on the second DC,
cconfigure the cisco devices to add the second radius dc2

that should be it correct?
"After configuring the devices they would need to be made radius clients of the second radius server,"
You've got that covered by copying the AAAA configuration.

As I said, if the device supports multiple authentication servers then that is the easiest way to go. A DNS alias is still an option if you have dozens of devices and really want to manage the IAS entry point centrally (in DNS). But that's not a failover solution (although repeated logons may be successful).

Please have a look at this article. You can repeat the "radius-server host ..." statement multiple times for additional servers on Cisco devices.

Another solution for devices that don't support secondary RADIUS servers, is to use Network Load Balancing. NLB will also give you the full load-balanced/fault-tolerant solution. You should dedicate a separate network for NLB clusters though, but it's available in Standard edition. I don't recommend running NLB on a DC (because multihomed DCs is an issue), so you would need two member servers with additional network interfaces to a different subnet. If you have that option, we investigate further.

The connection from IAS to a domain controller (or GC, if using User Principal Names) is already fault-tolerant because it just uses the DC location process.



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial