06-26-2018 06:39 AM
Hi,
Did somebody manage to use two radius servers in Policy for dot1x?
We are doing a migration of clients and ISE and it would be helpful to check both servers and act on first access-accept.
I am basing the idea on slides from Cisco Live Session:
https://clnv.s3.amazonaws.com/2015/anz/pdf/BRKSEC-2691.pdf
This would be Concurrent Authentication + Differentiated Authentication at the same time.
I tried different ideas but I did not manage to get it to work until now.
2 examples:
#####################
policy-map type control subscriber POLICY_Gi1/0/1
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10
20 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
#####################
policy-map type control subscriber POLICY_Gi1/0/1
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x aaa authc-list RADIUS_NEW authz-list RADIUS_NEW priority 10
20 class always do-until-failure
10 authenticate using dot1x aaa authc-list RADIUS_OLD authz-list RADIUS_OLD priority 15
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
I am wondering if this is possible at all.
Solved! Go to Solution.
06-26-2018 04:42 PM
It sounds creative, but not sure why one would need such setup even for migration. Differentiated Auth is for using different RADIUS server for MAB and 802.1X so would not apply to this use case and frankly I don't think you can have IOS check multiple RADIUS servers for 802.1X unless you are trying to load-balance request. Also, note that concurrent auth is not supported if using ISE as RADIUS server.
If you can elaborate on what you are trying to achieve at a higher level, we may be able to provide other options.
06-26-2018 04:42 PM
It sounds creative, but not sure why one would need such setup even for migration. Differentiated Auth is for using different RADIUS server for MAB and 802.1X so would not apply to this use case and frankly I don't think you can have IOS check multiple RADIUS servers for 802.1X unless you are trying to load-balance request. Also, note that concurrent auth is not supported if using ISE as RADIUS server.
If you can elaborate on what you are trying to achieve at a higher level, we may be able to provide other options.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide