cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

978
Views
5
Helpful
7
Replies
Ali Razavi
Beginner

Configuring Radius Exception

Hi everyone,

I've successfully configured several edge devices to use RADIUS.  I have an SNMP server that I would like to be able to use the default local authentication.  Is it possible to configure an exception so that when authentication is attempted from a particular machine, the router allows for local authentication?

Thank you in advance,

Ali

1 ACCEPTED SOLUTION

Accepted Solutions

Sorry about the confusion, on your radius server (depending on the model) you should be able to centralize these accounts so they hit the radius server for authentication and authorization.

This can be done regardless of model of radius server but the device has to support it, I do not thing IAS or NPS has the abitlity but then again that local database is AD, so you would have to build a service account for these devices to connect.

To answer your main question, the answer is no, radius configuration on routers, switches, with the exception of wireless lan controllers will not allow you select which database to use based on the username or the source ip address that the request is coming in from. the only time you failover is if the database that it is accessing at the time experiences a failover.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

7 REPLIES 7
Tarik Admani
Advocate

I checked ISE and the exception is used for authorization. If authentication fails then you are out of luck, unless you plan on using a identity store sequence.

Thanks,

Sent from Cisco Technical Support iPad App

Muhammad Munir
Contributor

Hello Ali

From the Network Devices list page, you can configure new network devices where SNMP settings can

also be configured. The polling interval that you specify here query network access devices at regular

intervals. In addition to configuring the SNMP Query probe, you must also configure other SNMP

settings in the following location:

Administration > Network Resources > Network Devices.

You can turn on and turn off SNMP querying for specific NADs based on the following configurations:

SNMP Query on Link up and New MAC notification turned on or turned off

CDP SNMP Query on Link up and New MAC notification turned on or turned off

SNMP Query timer for once an hour for each switch by default

Note:

When you configure SNMP settings on the network devices, you must ensure that the Cisco Device

Protocol (CDP) is enabled (by default) on all the ports of the network devices. If you disable CDP on

any of the ports on the network devices, then you may not be able to profile properly as you will miss

the CDP information of all the connected endpoints. You must also ensure that the Link Layer Discovery

Protocol (LLDP) is running on all the ports of the network devices”

The SNMP Trap receives information from the specific NADs that support MAC notification, linkup,

linkdown, and informs. For SNMP Trap to be fully functional, you must enable SNMP Query also. The

SNMP Trap probe receives information from the specific NADs when ports come up or go down and

endpoints disconnect or connect to your network. The information received is not sufficient to create

endpoints in Cisco ISE.

Note:

Cisco ISE does not support SNMP Traps that are received from the Wireless LAN Controllers (WLCs)

and Access Points (APs).

To configure the SNMP Trap, complete the following steps:

Step 1: Choose Administration > System > Deployment > Deployment Nodes List > Edit Node > Profiling

Configuration.

Step 2: Enable Link Trap Query.

Step 3: Enable Mac Trap Query.

Step 4: Choose the Interface from the drop-down list.

For example, GigabitEthernet 0.

Step 5: Enter the Port number.

For example, 162.

Step 6: Enter the description of the SNMP Trap.

For example, SNMP TRAP.

Step 7: Click Save.

Muhammad,

I think the question is regarding pulling configs from a management application that uses snmp to authenticate and pull the configuration. The steps you labeled concern snmp profiling for devices.

Thanks,

Sent from Cisco Technical Support iPad App

Ali Razavi
Beginner

Thank you guys for your responses, but none of this is on-track with my original request.  Let's just forget about SNMP.  I have configured radius authentication on a router, therefore all SSH sessions to that router will now use radius for authentication.  I have some service (not SNMP) or some server that needs to regularly login to the router to retrieve configurations etc.  Can I configure the router so that it will allow connections from that one IP address to use the default local authentication database instead of radius while all other connections still use radius for authentication, hence the phrase radius exception?

With aaa on the router you are unable to allow specific usernames  authenticate against radius while others authenticate locally, The local  database is only used when the radius server fails. You will have to  create an account locally on ISE

Tarik Admani
*Please rate helpful posts*

Thank you Tarik.  We do not have ISE deployed on out network.  So you're telling me that there is no way to create a radius exception from a particular IP address unless we deploy ISE and create a local account on it?

Sorry about the confusion, on your radius server (depending on the model) you should be able to centralize these accounts so they hit the radius server for authentication and authorization.

This can be done regardless of model of radius server but the device has to support it, I do not thing IAS or NPS has the abitlity but then again that local database is AD, so you would have to build a service account for these devices to connect.

To answer your main question, the answer is no, radius configuration on routers, switches, with the exception of wireless lan controllers will not allow you select which database to use based on the username or the source ip address that the request is coming in from. the only time you failover is if the database that it is accessing at the time experiences a failover.

Thanks,

Tarik Admani
*Please rate helpful posts*

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube