specifying keys for multiple radius server groups

scchesney · ‎12-28-2006

Any pointers as to how to assign radius keys to multiple radius server groups on 2950 switches running ios 12.1.22.ea9? I need to be able to authenticate to an RSA radius server for access to the switch itself as well as doing 802.1x authentication for switchports.

The config for the radius server groups looks like:

aaa group server radius cons-login

server xx.xx.xx.xx auth-port 1812 acct-port 1813

!

aaa group server radius portsec

server xx.xx.xx.xx auth-port 1645 acct-port 1646

The command "radius server key xxxx" does not appear in the running config unless radius-server hosts are defined, e.g.:

"radius-server host xx.xx.xx.xx auth-port 1812 acct-port 1813 key xxxx"

sarbjeet-dhillon · ‎12-28-2006

That is how you do it by specifying the radius server hosts.

1.

Specifies and defines the IP address of the server host before configuring the AAA server-group.

Router(config)# radius-server host

{hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip address}]

2.

Defines the AAA server group with a group name. All members of a group must be the same type;

Router(config-if)# aaa group server

{radius | tacacs+} group-name

3.

Associates a particular RADIUS server with the defined server group. Each security server is identified by its IP address and UDP port number.

Repeat this step for each RADIUS server in the AAA server group.

Router(config-sg)# server ip-address

[auth-port port-number] [acct-port port-number]

Let me know if it doesnt work.

SD

scchesney · ‎12-29-2006

Ahhh, works as advertised. Thanks much. As usual, the docs make more sense after things work rather than while you're trying to figure out what they are actually saying.

Cheers!

--Scott