topic Re: AAA Radius Servers in Network Access Control

AAA Radius Servers

afathi1992 — Mon, 15 Jul 2024 07:36:43 GMT

which configuration should I do to add more than one radius server on cisco switches

note that I have to add Primary ISE IP, Secondary ISE IP and the HA IP

Thanks.

Re: AAA Radius Servers

Rob Ingram — Mon, 15 Jul 2024 07:42:04 GMT

@afathi1992 you define multiple RADIUS servers and then add those radius servers to RADIUS group.

radius server ISE-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
radius server ISE-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name ISE-1
server name ISE-2

You then reference the RADIUS group

aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-RADIUS

Re: AAA Radius Servers

afathi1992 — Mon, 15 Jul 2024 07:56:05 GMT

thanks a lot, I need to know is this applicable for both cisco switches series 2960 and 9200

Re: AAA Radius Servers

Rob Ingram — Mon, 15 Jul 2024 08:05:23 GMT

@afathi1992 yes that should work on both 9200 and probably on the older 2960 hardware, depending on IOS version. If not you would define the RADIUS server using the command "radius-server host <ip address> key <key>" and reference in the RADIUS server group.

Re: AAA Radius Servers

afathi1992 — Mon, 15 Jul 2024 08:25:10 GMT

is this applicable for Takac's servers also or there is a different?

Re: AAA Radius Servers

Rob Ingram — Mon, 15 Jul 2024 08:37:40 GMT

@afathi1992 same logic for TACACS servers, example:

tacacs server ISE01
 address ipv4 10.1.4.205
 key XXXXXXXX
tacacs server ISE02
 address ipv4 10.1.4.206
 key XXXXXXXX
!
aaa group server tacacs+ ISE-TACACS
 server name ISE01
 server name ISE01
!
aaa authentication login ISE-MLIST group ISE-TACACS local
aaa authorization exec ISE-MLIST group ISE-TACACS local if-authenticated 
aaa authorization commands 1 ISE-MLIST group ISE-TACACS local if-authenticated 
aaa authorization commands 15 ISE-MLIST group ISE-TACACS local if-authenticated 
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS