aaa server radius dynamic-author

Jason2005 · ‎05-09-2024

SW2(config)#aaa server radius dynamic-author
SW2(config-locsvr-da-radius)#client 192.168.100.210 server-key Test123
SW2(config-locsvr-da-radius)#client 192.168.100.220 server-key Test123

Those commands means that we set AAA server (ISE1 and ISE2 in this case) as the authoritive server for clients attached to Switch, but here as clients we set ISE1 and ISE2 themselves!! I don't understand this!

Can anyone explain it please.

balaji.bandi · ‎05-09-2024

aaa server radius dynamic-author - This enables ISE to act as an AAA server when interacting with the client

Enters dynamic authorization local server configuration
mode and specifies a RADIUS client from which a device accepts Change of Authorization (CoA) and disconnect
Configures the device as a AAA server to
facilitate interaction with an external policy server.

Look at the good guide :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier · ‎05-09-2024

@Jason2005 , CoA (Change of Authorization) is a departure from the original intention of how RADIUS works. Originally the protocol was client -> server only. This means, the RADIUS server just sits there all day long and waits for requests from clients. Servers don't initiate any traffic, only clients do. But then as the protocol developed, they realised that it's very helpful in some cases to allow the server to also have some control, and to speak to clients (e.g. to disconnect or re-auth existing sessions). CoA was born. Now we have server -> client. This means that clients need a list of RADIUS server(s) which are allowed to speak to it - in Cisco IOS we define that list with the command "aaa server radius dynamic-author"

thomas · ‎05-10-2024

ISE Secure Wired Access Prescriptive Deployment Guide

Please read our prescriptive deployment guides which explain these.