Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
2
Replies

aaa authentication question

Go to solution
cxu21
Level 1
Level 1

‎12-19-2023 09:10 PM

On our C9800 WLC, there are several lines about aaa authentication which confuse me.

The commands are like below

aaa authentication login dnac-group1 group dnac-group1 local

aaa authentication login dnac-group2 group dnac-group2 local

My understanding is the first dnac-group1 is the radius group for authentication as default, and the dnac-group1 after group keyword is telling try to use this radius server group to authenticate, if failed use local.

Is my understanding correct?

If my understanding is correct, why we need to configure the first radius server group

Also, any reason we have 2 aaa authetication lines?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎12-19-2023 09:53 PM

Hello @cxu21 

aaa authentication login dnac-group1 group dnac-group1 local

aaa authentication login dnac-group2 group dnac-group2 local

- dnac-group1 and dnac-group2 are the method-list names. A method list specifies the authentication methods and the sequence in which they are applied.

- group dnac-group1 and group dnac-group2 indicate the RADIUS server group(s) to be used for authentication. If the first group fails, the second one is attempted.

- local is the keyword that specifies the local authentication (using the local username and password database) as a fallback if both RADIUS groups fail.

The reason for having two lines could be redundancy or load distribution. If you have multiple RADIUS servers or server groups, spreading the authentication attempts across them helps distribute the load or provides redundancy in case one group becomes unreachable.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
M02@rt37
VIP
VIP

‎12-19-2023 09:53 PM

Hello @cxu21 

aaa authentication login dnac-group1 group dnac-group1 local

aaa authentication login dnac-group2 group dnac-group2 local

- dnac-group1 and dnac-group2 are the method-list names. A method list specifies the authentication methods and the sequence in which they are applied.

- group dnac-group1 and group dnac-group2 indicate the RADIUS server group(s) to be used for authentication. If the first group fails, the second one is attempted.

- local is the keyword that specifies the local authentication (using the local username and password database) as a fallback if both RADIUS groups fail.

The reason for having two lines could be redundancy or load distribution. If you have multiple RADIUS servers or server groups, spreading the authentication attempts across them helps distribute the load or provides redundancy in case one group becomes unreachable.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-19-2023 09:58 PM - edited ‎12-19-2023 10:03 PM

the AAA can config per WLAN, 
here each AAA group is used for specific WLAN 
show run , check each WLAN auth, each group must appear under that WLAN
MHM

0 Helpful
Customers Also Viewed These Support Documents