Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
1
Replies

IBNS 2.0 two radius servers in policy

Go to solution
dawid.karol.bednarczyk
Level 1
Level 1

‎06-26-2018 06:39 AM

Hi,

Did somebody manage to use two radius servers in Policy for dot1x?

We are doing a migration of clients and ISE and it would be helpful to check both servers and act on first access-accept.

I am basing the idea on slides from Cisco Live Session:

https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf

This would be Concurrent Authentication + Differentiated Authentication at the same time.

I tried different ideas but I did not manage to get it to work until now.

2 examples:

#####################

policy-map type control subscriber POLICY_Gi1/0/1

event session-started match-all

  10 class always do-until-failure

    10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10

    20 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15

  

event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

  

  

#####################

  

  

policy-map type control subscriber POLICY_Gi1/0/1

event session-started match-all

  10 class always do-until-failure

    10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10

  20 class always do-until-failure

    10 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15

  

event authentication-success match-all

  10 class always do-until-failure

   10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

  

I am wondering if this is possible at all.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-26-2018 04:42 PM

It sounds creative, but not sure why one would need such setup even for migration. Differentiated Auth is for using different RADIUS server for MAB and 802.1X so would not apply to this use case and frankly I don't think you can have IOS check multiple RADIUS servers for 802.1X unless you are trying to load-balance request. Also, note that concurrent auth is not supported if using ISE as RADIUS server.

If you can elaborate on what you are trying to achieve at a higher level, we may be able to provide other options.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
howon
Cisco Employee
Cisco Employee

‎06-26-2018 04:42 PM

It sounds creative, but not sure why one would need such setup even for migration. Differentiated Auth is for using different RADIUS server for MAB and 802.1X so would not apply to this use case and frankly I don't think you can have IOS check multiple RADIUS servers for 802.1X unless you are trying to load-balance request. Also, note that concurrent auth is not supported if using ISE as RADIUS server.

If you can elaborate on what you are trying to achieve at a higher level, we may be able to provide other options.

0 Helpful
Customers Also Viewed These Support Documents