cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
2
Helpful
5
Replies

AAA Radius Servers

afathi1992
Level 1
Level 1

which configuration should I do to add more than one radius server on cisco switches 

 

note that I have to add Primary ISE IP, Secondary ISE IP and the HA IP

 

Thanks.

2 Accepted Solutions

Accepted Solutions

@afathi1992 you define multiple RADIUS servers and then add those radius servers to RADIUS group.

radius server ISE-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
radius server ISE-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name ISE-1
server name ISE-2

You then reference the RADIUS group

aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-RADIUS

 

View solution in original post

@afathi1992 yes that should work on both 9200 and probably on the older 2960 hardware, depending on IOS version. If not you would define the RADIUS server using the command "radius-server host <ip address> key <key>" and reference in the RADIUS server group.

View solution in original post

5 Replies 5

@afathi1992 you define multiple RADIUS servers and then add those radius servers to RADIUS group.

radius server ISE-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
radius server ISE-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name ISE-1
server name ISE-2

You then reference the RADIUS group

aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-RADIUS

 

is this applicable for Takac's servers also or there is a different? 

@afathi1992 same logic for TACACS servers, example:

tacacs server ISE01
 address ipv4 10.1.4.205
 key XXXXXXXX
tacacs server ISE02
 address ipv4 10.1.4.206
 key XXXXXXXX
!
aaa group server tacacs+ ISE-TACACS
 server name ISE01
 server name ISE01
!
aaa authentication login ISE-MLIST group ISE-TACACS local
aaa authorization exec ISE-MLIST group ISE-TACACS local if-authenticated
aaa authorization commands 1 ISE-MLIST group ISE-TACACS local if-authenticated
aaa authorization commands 15 ISE-MLIST group ISE-TACACS local if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS

 

afathi1992
Level 1
Level 1

thanks a lot, I need to know is this applicable for both cisco switches series 2960 and 9200 

@afathi1992 yes that should work on both 9200 and probably on the older 2960 hardware, depending on IOS version. If not you would define the RADIUS server using the command "radius-server host <ip address> key <key>" and reference in the RADIUS server group.