Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2284
Views
0
Helpful
6
Replies

Radius redundancy in IOS config

Go to solution
neroshake
Level 1
Level 1

‎03-13-2016 04:01 AM - edited ‎03-10-2019 11:34 PM

Hello,

I need to implement Radius (ISE PSN) servers failover/redundancy on Cisco switches for 4 radius servers. We have no dedicated Load Balancers to use. As far as I understand there are two options in IOS:

1. Use 'radius-server retry method reorder' in IOS
2. Use 'radius-server load-balance method least-outstanding' IOS builtin load balancing feature.

The question is which one is a best practice to use in case of ISE? What are the pros and cons?
thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎03-14-2016 10:10 AM

As long as you have all of your ISE servers configured in the NAD and they are all in sync you should be good to go. I have done many ISE deployments and never had to use either one of the commands that you have listed. 

With that being said, if can use the "radius-server load-balance method least-outstanding" if you want try to share the load between the ISE servers. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-13-2016 07:39 PM

1. Is only concerned about failover.

2. Is concerned with spreading the load, but will also do 1 as a result.

If all the servers have replicated hot copies of the data, then I would be tempted to use load balancing.  If the servers are more active/slave then maybe simple failover.

0 Helpful

Go to solution
neroshake
Level 1
Level 1
In response to Philip D'Ath

‎03-21-2016 02:26 AM

Thank you, Philip for the reply!

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎03-14-2016 10:10 AM

As long as you have all of your ISE servers configured in the NAD and they are all in sync you should be good to go. I have done many ISE deployments and never had to use either one of the commands that you have listed. 

With that being said, if can use the "radius-server load-balance method least-outstanding" if you want try to share the load between the ISE servers. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Go to solution
neroshake
Level 1
Level 1
In response to nspasov

‎03-21-2016 02:25 AM

Thanks for the reply, Neno!

>I have done many ISE deployments and never had to use either one of the commands that you have listed. 

Really? It is strange but putting just radius servers in order in NAD doesnt work for me. Once one of them goes offline the request is not being forwarded to another one. My goal is to achieve radius server redundancy / failover only. No load balancing needed at all.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to neroshake

‎03-28-2016 11:11 PM

Yes, that is correct. As long as your servers are configured correctly and your switch configuration is correct then if an ISE server is marked as "Dead" then the NAD (switch) will proceed to the next switch configured. You can check the status of the ISE nodes in the switch by issuing "show aaa servers"

Can you post your RADIUS configs here. Perhaps you are missing some command(s).

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to nspasov

‎02-27-2019 10:44 AM

hi @nspasov ,

How will the NAD determine if the RADIUS is dead? Is the condition based only network reachability or based on service reachability?

Network Reachability meaning, even though the RADIUS server is experiencing to much load but it is reachable the NAD will still contact the RADIUS server.

Service Reachability meaning, if there is no RADIUS reply from the RADIUS server towards the NAD.

thanks

0 Helpful
Customers Also Viewed These Support Documents