Solved: Radius redundancy in IOS config

neroshake · ‎03-13-2016

Hello,

I need to implement Radius (ISE PSN) servers failover/redundancy on Cisco switches for 4 radius servers. We have no dedicated Load Balancers to use. As far as I understand there are two options in IOS:

1. Use 'radius-server retry method reorder' in IOS
2. Use 'radius-server load-balance method least-outstanding' IOS builtin load balancing feature.

The question is which one is a best practice to use in case of ISE? What are the pros and cons?
thanks!

nspasov · ‎03-14-2016

As long as you have all of your ISE servers configured in the NAD and they are all in sync you should be good to go. I have done many ISE deployments and never had to use either one of the commands that you have listed.

With that being said, if can use the "radius-server load-balance method least-outstanding" if you want try to share the load between the ISE servers.

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

Philip D'Ath · ‎03-13-2016

1. Is only concerned about failover.

2. Is concerned with spreading the load, but will also do 1 as a result.

If all the servers have replicated hot copies of the data, then I would be tempted to use load balancing. If the servers are more active/slave then maybe simple failover.

neroshake · ‎03-21-2016

Thank you, Philip for the reply!

nspasov · ‎03-14-2016

As long as you have all of your ISE servers configured in the NAD and they are all in sync you should be good to go. I have done many ISE deployments and never had to use either one of the commands that you have listed.

With that being said, if can use the "radius-server load-balance method least-outstanding" if you want try to share the load between the ISE servers.

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

neroshake · ‎03-21-2016

Thanks for the reply, Neno!

>I have done many ISE deployments and never had to use either one of the commands that you have listed.

Really? It is strange but putting just radius servers in order in NAD doesnt work for me. Once one of them goes offline the request is not being forwarded to another one. My goal is to achieve radius server redundancy / failover only. No load balancing needed at all.

nspasov · ‎03-28-2016

Yes, that is correct. As long as your servers are configured correctly and your switch configuration is correct then if an ISE server is marked as "Dead" then the NAD (switch) will proceed to the next switch configured. You can check the status of the ISE nodes in the switch by issuing "show aaa servers"

Can you post your RADIUS configs here. Perhaps you are missing some command(s).

Thank you for rating helpful posts!

Thank you for rating helpful posts!

fatalXerror · ‎02-27-2019

hi @nspasov ,

How will the NAD determine if the RADIUS is dead? Is the condition based only network reachability or based on service reachability?

Network Reachability meaning, even though the RADIUS server is experiencing to much load but it is reachable the NAD will still contact the RADIUS server.

Service Reachability meaning, if there is no RADIUS reply from the RADIUS server towards the NAD.

thanks