https://community.cisco.com/t5/network-access-control/ibns-2-0-two-radius-servers-in-policy/m-p/3604382#M496714 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Did somebody manage to use two radius servers in Policy for dot1x?</P><P>We are doing a migration of clients and ISE and it would be helpful to check both servers and act on first access-accept.</P><P></P><P>I am basing the idea on slides from Cisco Live Session:</P><P></P><P><A href="https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf" style="font-size: 10pt;" title="https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf">https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf</A></P><P></P><P>This would be Concurrent Authentication + Differentiated Authentication at the same time.</P><P></P><P>I tried different ideas but I did not manage to get it to work until now.</P><P></P><P>2 examples:</P><P></P><P>#####################</P><P></P><P></P><P>policy-map type control subscriber POLICY_Gi1/0/1</P><P> event session-started match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp;&nbsp; 10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10 </P><P>&nbsp;&nbsp;&nbsp; 20 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15</P><P>&nbsp;&nbsp; </P><P> event authentication-success match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp; 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE</P><P>&nbsp;&nbsp; </P><P>&nbsp;&nbsp; </P><P>#####################</P><P>&nbsp;&nbsp; </P><P>&nbsp;&nbsp; </P><P>policy-map type control subscriber POLICY_Gi1/0/1</P><P> event session-started match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp;&nbsp; 10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10 </P><P></P><P></P><P>&nbsp; 20 class always do-until-failure</P><P>&nbsp;&nbsp;&nbsp; 10 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15</P><P>&nbsp;&nbsp; </P><P> event authentication-success match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp; 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE</P><P>&nbsp;&nbsp; </P><P>I am wondering if this is possible at all. </P></BODY></HTML> Tue, 26 Jun 2018 13:39:35 GMT dawid.karol.bednarczyk 2018-06-26T13:39:35Z https://community.cisco.com/t5/network-access-control/ibns-2-0-two-radius-servers-in-policy/m-p/3604382#M496714 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Did somebody manage to use two radius servers in Policy for dot1x?</P><P>We are doing a migration of clients and ISE and it would be helpful to check both servers and act on first access-accept.</P><P></P><P>I am basing the idea on slides from Cisco Live Session:</P><P></P><P><A href="https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf" style="font-size: 10pt;" title="https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf">https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf</A></P><P></P><P>This would be Concurrent Authentication + Differentiated Authentication at the same time.</P><P></P><P>I tried different ideas but I did not manage to get it to work until now.</P><P></P><P>2 examples:</P><P></P><P>#####################</P><P></P><P></P><P>policy-map type control subscriber POLICY_Gi1/0/1</P><P> event session-started match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp;&nbsp; 10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10 </P><P>&nbsp;&nbsp;&nbsp; 20 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15</P><P>&nbsp;&nbsp; </P><P> event authentication-success match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp; 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE</P><P>&nbsp;&nbsp; </P><P>&nbsp;&nbsp; </P><P>#####################</P><P>&nbsp;&nbsp; </P><P>&nbsp;&nbsp; </P><P>policy-map type control subscriber POLICY_Gi1/0/1</P><P> event session-started match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp;&nbsp; 10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10 </P><P></P><P></P><P>&nbsp; 20 class always do-until-failure</P><P>&nbsp;&nbsp;&nbsp; 10 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15</P><P>&nbsp;&nbsp; </P><P> event authentication-success match-all</P><P>&nbsp; 10 class always do-until-failure</P><P>&nbsp;&nbsp; 10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE</P><P>&nbsp;&nbsp; </P><P>I am wondering if this is possible at all. </P></BODY></HTML> Tue, 26 Jun 2018 13:39:35 GMT https://community.cisco.com/t5/network-access-control/ibns-2-0-two-radius-servers-in-policy/m-p/3604382#M496714 dawid.karol.bednarczyk 2018-06-26T13:39:35Z https://community.cisco.com/t5/network-access-control/ibns-2-0-two-radius-servers-in-policy/m-p/3604383#M496715 <HTML><HEAD></HEAD><BODY><P>It sounds creative, but not sure why one would need such setup even for migration. Differentiated Auth is for using different RADIUS server for MAB and 802.1X so would not apply to this use case and frankly I don't think you can have IOS check multiple RADIUS servers for 802.1X unless you are trying to load-balance request. Also, note that concurrent auth is not supported if using ISE as RADIUS server.</P><P></P><P>If you can elaborate on what you are trying to achieve at a higher level, we may be able to provide other options.</P></BODY></HTML> Tue, 26 Jun 2018 23:42:24 GMT https://community.cisco.com/t5/network-access-control/ibns-2-0-two-radius-servers-in-policy/m-p/3604383#M496715 howon 2018-06-26T23:42:24Z