Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3304
Views
6
Helpful
3
Replies

802.1X - multi server radius ??

Go to solution
m.humbert
Level 1
Level 1

‎10-19-2021 06:36 AM

Hi everyone,

i'm working on project to deploy 802.1X security on all my L2 switches on our HQ. this part is the first step but we plan to deploy this security on all L2 switches of remote site (Branch office, shop, warehouse..)

- we are using NPS from Win2016 Std

i would like to know if it possible to setup two Radius server for dot1x authentication on switches? (redondancy purpose) like you can setup two dhcp server.

So if the first radius down, the switch try to reach the second one....

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-19-2021 06:48 AM - edited ‎10-19-2021 06:51 AM

@m.humbert yes you can, setup 2 radius servers and add them to a aaa group, reference the group in the aaa authentication command.

 

radius server ISE-1 
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813 
automate-tester username switch-probe ignore-acct-port probe-on 
key XXXXXXXX 
! 
radius server ISE-2 
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813 
automate-tester username switch-probe ignore-acct-port probe-on 
key XXXXXXXX 
! 
aaa group server radius ISE-RADIUS 
server name ISE-1 
server name ISE-2
!
aaa authentication dot1x default group ISE-RADIUS

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎10-19-2021 06:48 AM - edited ‎10-19-2021 06:51 AM

@m.humbert yes you can, setup 2 radius servers and add them to a aaa group, reference the group in the aaa authentication command.

 

radius server ISE-1 
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813 
automate-tester username switch-probe ignore-acct-port probe-on 
key XXXXXXXX 
! 
radius server ISE-2 
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813 
automate-tester username switch-probe ignore-acct-port probe-on 
key XXXXXXXX 
! 
aaa group server radius ISE-RADIUS 
server name ISE-1 
server name ISE-2
!
aaa authentication dot1x default group ISE-RADIUS

 

Go to solution
m.humbert
Level 1
Level 1
In response to Rob Ingram

‎10-20-2021 01:51 AM

Hi Rob,

many thanks for your help !

i had some trouble with other option but i finished to make it works

have nice day !

0 Helpful

Go to solution
Pat Pouna
Level 1
Level 1

‎10-19-2021 10:15 AM

@m.humbert - Yes. Like @Rob Ingram said, you can list those in a group and used the group name in your aaa statements. The first in the list is the active one; if down,  the switch try the next and so on.

On some platforms, it could  look like this:

 

service password-encryption

aaa group server radius "ISE_Group_Name"
server-private "IP_ISE1" auth-port 1812 acct-port 1813 key "Radius_Key"
server-private "IP_ISE2" auth-port 1812 acct-port 1813 key "Radius_Key"

aaa authentication dot1x default group "ISE_Group_Name"
aaa authorization network default group "ISE_Group_Name"
aaa accounting dot1x default start-stop group "ISE_Group_Name"

 

0 Helpful
Customers Also Viewed These Support Documents