01-05-2021 11:57 AM
Hello All,
I am attempting to set the AAA Server priority on a 2960X Switch. My previous AAA/RADIUS configuration contained the following:
Original Configuration
aaa new-model ! ! aaa authentication dot1x default group radius aaa authorization network default group radius aaa authorization auth-proxy default group radius aaa accounting update periodic 5 aaa accounting dot1x default start-stop group radius aaa accounting system default start-stop group radius ! ! aaa server radius dynamic-author client 10.0.0.1 server-key 7 ***** client 10.0.0.2 server-key 7 ***** ! aaa session-id common ! ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 30 tries 3 ! radius server ISE-Primary address ipv4 10.0.0.1 auth-port 1812 acct-port 1813 key 7 ***** ! radius server ISE-Secondary address ipv4 10.0.0.2 auth-port 1812 acct-port 1813 key 7 *****
I then checked out the following page/link below, and modified some of the lines from above to the following:
https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/200403-AAA-Server-Priority-explained-with-new-R.html
Modified Configuration:
!**New section added** aaa group server radius ISE server name ISE-Secondary server name ISE-Primary ! !**Modified the section below using the group "ISE" created above** aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa authorization auth-proxy default group ISE aaa accounting dot1x default start-stop group ISE aaa accounting system default start-stop group ISE !
From the link shared above. It seemed as though using "aaa group server radius <name>" should be what sets the priority. But, in running the "show aaa servers" command, the ISE-Primary server is still showing as Priority 1 in the output.
The goal is to have clients in this location use the Secondary ISE server as their primary auth server.
Could this not be working because these aaa servers were already configured on this switch, so when I added the "aaa group..." section, that really isn't being used?
Any help would be greatly appreciated!
Thanks in Advance,
Matt
01-05-2021 03:21 PM
I can't say for sure, but I would have removed the aaa group, and then checked that the switch had no more RADIUS servers, and then re-add the group to see if it programs the intended order.
Perhaps there is a 'aaa' restart command (kind of like a shut / no-shut)
01-06-2021 10:19 AM - edited 01-06-2021 10:21 AM
Thanks for the reply Arne.
Yea, I was thinking the same thing about a "aaa" restart command, but couldn't find anything specific like that.
I was trying to do this without rebooting the switch. Right now I'm configuring this on a 2960X switch that I have connected to the network in our IT room, that I can use for testing. But, if I'm going to try to do this in the remote location, I was hoping to not have to have any downtime, or any significant downtime, like a reboot.
In the link I included in my OP. The author's video simply shows him swapping around the configured AAA servers in the "aaa group server radius <name>" section, and that taking affect right away. However, that was a new AAA configuration, so he didn't already have AAA servers configured as I do.
EDIT: I wonder if running "no aaa new-model" would disable AAA. and then re-adding "aaa new-model" would re-enable. However, I don't know if that would remove all of the AAA configuration... I guess I could give it a try on this switch and see what happens.
Thanks Again,
Matt
01-06-2021 11:01 AM
So I gave the "no aaa new-model" command a try, and it does in fact remove all the AAA and RADIUS commands from the switch. Except, it does NOT remove the auth commands for the client PC ports, which is the bulk of the configuration anyway...
I had to re-add the following commands back to the Switch:
aaa new-model
!
aaa group server radius ISE server name ISE-Secondary server name ISE-Primary ! aaa authentication dot1x default group ISE aaa authorization network default group ISE aaa authorization auth-proxy default group ISE aaa accounting update periodic 5 aaa accounting dot1x default start-stop group ISE aaa accounting system default start-stop group ISE ! aaa server radius dynamic-author client 10.0.0.2 server-key 7 ***** client 10.0.0.1 server-key 7 ***** ! aaa session-id common ! radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 30 tries 3 ! radius server ISE-Primary address ipv4 10.0.0.1 auth-port 1812 acct-port 1813 key 7 ***** ! radius server ISE-Secondary address ipv4 10.0.0.2 auth-port 1812 acct-port 1813 key 7 ***** !
Here's something odd...
After running the "no aaa new-model" command. The output of the "show aaa servers" command remains the same as it did while aaa was enabled... Figured this was just a cosmetic issue where that data is cached, and isn't removed along with the config command. However, after re-adding aaa new-model and re-adding the commands shown above, the output from show aaa servers remains the same as it did before, where the ISE-Secondary is still showing as the "Priority 2" AAA host. Even though the client PC I connected, as well as a IP Phone, are both using the ISE-Secondary server as their AAA server.
-Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide