Re: Cleaning up and Configuring RADIUS on Cisco Switch

TW80CJ5 · ‎06-22-2020

TW80CJ5 · ‎06-22-2020

Sorry, the question dropped...

I am working through our Cisco devices and want to clean up our RADIUS / AAA configurations. Here is what I am trying to accomplish. See the configuration below for an example. Here are some I am trying to do:

1. Clean up any unnecessary RADIUS group configs. I would like to remove NPS-group and NPS2-group
2. I only want to have an "NPS-Group" with two servers named RAS1 and RAS2.
RAS1 ip address 192.168.1.81 with default ports of 1645 / 1646 with a key of Cisco123
RAS2 ip address 192.168.1.91 with default ports of 1645 / 1646 with a key of Cisco123
3. I have tried removing the servers and re-adding them, but the CLI error stated that I already had that server with that IP / Port setup.
4. I have tried to remove Server group radius from the list SW1#sh radius server-group all, and I could not. I was hoping to completely re-do the RADIUS / AAA config all over.

SW1#sh radius server-group all
Server group radius
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(192.168.1.81:1645,1646) Transactions:
Authen: 303 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server(UNKNOWN:65535,65535) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server(UNKNOWN:65535,65535) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server(192.168.1.91:1645,1646) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server group NPS-Group
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(UNKNOWN:65535,65535) Transactions:
Authen: 0 Author: 0 Acct: 0
Server_auto_test_enabled: FALSE
Keywrap enabled: FALSE
Server group NPS-group
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server group NPS2-group
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1

SW1#sh run | inc aaa
aaa new-model
aaa group server radius NPS-Group
aaa group server radius NPS-group
aaa group server radius NPS2-group
aaa authentication login default group admin local
aaa authentication login NPS-group group radius local
aaa authentication login NPS2-group group radius local
aaa authentication login console local
aaa authentication dot1x default group NPS-group
aaa authorization exec default group NPS-group local
aaa authorization network default group NPS-Group
aaa session-id common

Comments and suggestions welcomed!!!! Ideally, I just want to clean up our RADIUS configs to create a naming and configuration standard on our devices.

balaji.bandi · ‎06-23-2020

You should remove all linked to old name and old IP address.

can you post will give an idea.

show run | in 192.168.1.91

show run | in 192.168.1.92

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TW80CJ5 · ‎06-23-2020

BB,

I have tried. The two servers will still show under sho radius server-group all. Ideas on how to remove?

show run | in 192.168.1.81

address ipv4 192.168.1.81 auth-port 1645 acct-port 1646

show run | in 192.168.1.91

address ipv4 192.168.1.91 auth-port 1645 acct-port 1646

balaji.bandi · ‎06-23-2020

Ok can you post all the config - removing secure information, so we can tweak it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TW80CJ5 · ‎06-23-2020

BB,

I will pull a running-config and sanitize it and post as soon as I can.

Thanks!

TW80CJ5 · ‎06-24-2020

See the attached...

The overall goal is to clean up and standardize our RADIUS configs.

TW80CJ5 · ‎06-23-2020

BB....