07-15-2024 12:36 AM
which configuration should I do to add more than one radius server on cisco switches
note that I have to add Primary ISE IP, Secondary ISE IP and the HA IP
Thanks.
Solved! Go to Solution.
07-15-2024 12:42 AM
@afathi1992 you define multiple RADIUS servers and then add those radius servers to RADIUS group.
radius server ISE-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
radius server ISE-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name ISE-1
server name ISE-2
You then reference the RADIUS group
aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-RADIUS
07-15-2024 01:05 AM
@afathi1992 yes that should work on both 9200 and probably on the older 2960 hardware, depending on IOS version. If not you would define the RADIUS server using the command "radius-server host <ip address> key <key>" and reference in the RADIUS server group.
07-15-2024 12:42 AM
@afathi1992 you define multiple RADIUS servers and then add those radius servers to RADIUS group.
radius server ISE-1
address ipv4 192.168.10.10 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
radius server ISE-2
address ipv4 192.168.10.11 auth-port 1812 acct-port 1813
automate-tester username switch-probe ignore-acct-port probe-on
key XXXXXXXX
!
aaa group server radius ISE-RADIUS
server name ISE-1
server name ISE-2
You then reference the RADIUS group
aaa authentication dot1x default group ISE-RADIUS
aaa authorization network default group ISE-RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-RADIUS
07-15-2024 01:25 AM
is this applicable for Takac's servers also or there is a different?
07-15-2024 01:37 AM
@afathi1992 same logic for TACACS servers, example:
tacacs server ISE01
address ipv4 10.1.4.205
key XXXXXXXX
tacacs server ISE02
address ipv4 10.1.4.206
key XXXXXXXX
!
aaa group server tacacs+ ISE-TACACS
server name ISE01
server name ISE01
!
aaa authentication login ISE-MLIST group ISE-TACACS local
aaa authorization exec ISE-MLIST group ISE-TACACS local if-authenticated
aaa authorization commands 1 ISE-MLIST group ISE-TACACS local if-authenticated
aaa authorization commands 15 ISE-MLIST group ISE-TACACS local if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
07-15-2024 12:56 AM
thanks a lot, I need to know is this applicable for both cisco switches series 2960 and 9200
07-15-2024 01:05 AM
@afathi1992 yes that should work on both 9200 and probably on the older 2960 hardware, depending on IOS version. If not you would define the RADIUS server using the command "radius-server host <ip address> key <key>" and reference in the RADIUS server group.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide