Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4003
Views
0
Helpful
3
Replies

Setting AAA Server Priority

Matthew Martin
Level 5
Level 5

‎01-05-2021 11:57 AM

Hello All,

I am attempting to set the AAA Server priority on a 2960X Switch. My previous AAA/RADIUS configuration contained the following:

Original Configuration

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa server radius dynamic-author
 client 10.0.0.1 server-key 7 *****
 client 10.0.0.2 server-key 7 *****
!
aaa session-id common
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server ISE-Primary
 address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
 key 7 *****
!
radius server ISE-Secondary
 address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
 key 7 *****

 

I then checked out the following page/link below, and modified some of the lines from above to the following:
https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/200403-AAA-Server-Priority-explained-with-new-R.html

Modified Configuration:

!**New section added**
aaa group server radius ISE
 server name ISE-Secondary
 server name ISE-Primary
!
!**Modified the section below using the group "ISE" created above**
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
!

From the link shared above. It seemed as though using "aaa group server radius <name>" should be what sets the priority. But, in running the "show aaa servers" command, the ISE-Primary server is still showing as Priority 1 in the output.

The goal is to have clients in this location use the Secondary ISE server as their primary auth server.

Could this not be working because these aaa servers were already configured on this switch, so when I added the "aaa group..." section, that really isn't being used?

Any help would be greatly appreciated!

Thanks in Advance,

Matt

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎01-05-2021 03:21 PM

I can't say for sure, but I would have removed the aaa group, and then checked that the switch had no more RADIUS servers, and then re-add the group to see if it programs the intended order.

Perhaps there is a 'aaa' restart command (kind of like a shut / no-shut)

0 Helpful

Matthew Martin
Level 5
Level 5
In response to Arne Bier

‎01-06-2021 10:19 AM - edited ‎01-06-2021 10:21 AM

Thanks for the reply Arne.

Yea, I was thinking the same thing about a "aaa" restart command, but couldn't find anything specific like that.

 

I was trying to do this without rebooting the switch. Right now I'm configuring this on a 2960X switch that I have connected to the network in our IT room, that I can use for testing. But, if I'm going to try to do this in the remote location, I was hoping to not have to have any downtime, or any significant downtime, like a reboot.

In the link I included in my OP. The author's video simply shows him swapping around the configured AAA servers in the "aaa group server radius <name>" section, and that taking affect right away. However, that was a new AAA configuration, so he didn't already have AAA servers configured as I do.

 

EDIT: I wonder if running "no aaa new-model" would disable AAA. and then re-adding "aaa new-model" would re-enable. However, I don't know if that would remove all of the AAA configuration... I guess I could give it a try on this switch and see what happens.

 

Thanks Again,

Matt

0 Helpful

Matthew Martin
Level 5
Level 5
In response to Arne Bier

‎01-06-2021 11:01 AM

So I gave the "no aaa new-model" command a try, and it does in fact remove all the AAA and RADIUS commands from the switch. Except, it does NOT remove the auth commands for the client PC ports, which is the bulk of the configuration anyway...

I had to re-add the following commands back to the Switch:

aaa new-model
!
aaa group server radius ISE
 server name ISE-Secondary
 server name ISE-Primary
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE
aaa accounting system default start-stop group ISE
!
aaa server radius dynamic-author
 client 10.0.0.2 server-key 7 *****
 client 10.0.0.1 server-key 7 *****
!
aaa session-id common
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server ISE-Primary
 address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
 key 7 *****
!
radius server ISE-Secondary
 address ipv4 10.0.0.2 auth-port 1812 acct-port 1813
 key 7 *****
!

Here's something odd...

After running the "no aaa new-model" command. The output of the "show aaa servers" command remains the same as it did while aaa was enabled... Figured this was just a cosmetic issue where that data is cached, and isn't removed along with the config command. However, after re-adding aaa new-model and re-adding the commands shown above, the output from show aaa servers remains the same as it did before, where the ISE-Secondary is still showing as the "Priority 2" AAA host. Even though the client PC I connected, as well as a IP Phone, are both using the ISE-Secondary server as their AAA server.

-Matt

0 Helpful
Customers Also Viewed These Support Documents