Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4324
Views
0
Helpful
4
Replies

Usage of Radius server groupname on Cisco Switches

Go to solution
CSCO10675262_2
Level 1
Level 1

‎06-14-2013 09:10 PM - edited ‎03-07-2019 01:54 PM

Hi,

I am trying to understand the usage of a radius server command I came upon:

-------------------------------------------------------------------------------

radius server groupname

ip address ipv4 1.1.1.1.  auth-port 1812 acct-port 1813

key key1

automate-tester username user1

------------------------------------------------------------------------------

I was wondering if it may be an enhancement/replacement of the usual 'radius-server host...' command?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎06-15-2013 02:55 AM

Hello, I'd like to think of this as a much tidier way of configuring radius groups or tacacs groups. Although some people find it cumbersome.

You could specify the individual host, however I think this CLI will be depreciated soon. If you have more than one, it makes sense to put them in a group. Another reason would probably be for added resiliency.

What if one of them fails? then the next one in the group is attempted.

Also the later versions of IOS permit the use of IPv6 also, you are correct - it will be a replacement so syntax has changed in the command you mentioned when you use the old commands you may see:

This cli will be deprecated soon. Use new server cli

Reason being, Cisco introduced the commands in the later versions of IOS to replace the host commands:

radius server MYRADIUS

ip address ipv4 x.x.x.x

key xxxxxx

ip address ipv4 y.y.y.y

key yyyyyy

and also same for tacacs

tacacs server MYACS

ip address ipv4 x.x.x.x

key xxxxxx

ip address ipv4 y.y.y.y

key yyyyyy

instead of

radius server host x.x.x.x  key xxxxxxx

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Atkin
Level 4
Level 4

‎06-14-2013 09:42 PM

Groups are used in addition to the radius-host stuff you mention. Groups allow you to be more specific about which particular servers, or groups of servers, are used for what particular switch function, ie, TACACS, RADIUS Auth, RADIUS Acct, Login, etc. It's quite a commonly used feature.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Kai Onken
Level 1
Level 1
In response to Richard Atkin

‎06-15-2013 02:00 AM

Hello,

Richard is right, on modern Cisco switch or router devices you could use somthing like this, by using different groups

username {MyEmergencyUsername} secret {MyEmergencyPassword}

!

enable {MyEmergencyEnablePassword}

!

aaa new-model

!

! This group will be used for console login

!

aaa group server radius {MyRadiusGroupForConsoleLogin}

server-private 1.1.1.1 auth-port 1812 acct-port 1813 key {MyRadiusKey}

server-private 2.2.2.2 auth-port 1812 acct-port 1813 key {MyRadiusKey}

ip radius source-interface {MySourceInterface}

exit

!

! This group will be used for vty login

!

aaa group server radius {MyRadiusGroupForVtyLogin}

server-private 3.3.3.3 auth-port 1812 acct-port 1813 key {MyRadiusKey}

server-private 4.4.4.4 auth-port 1812 acct-port 1813 key {MyRadiusKey}

ip radius source-interface {MySourceInterface}

exit

!

! AAA configuration for the different groups

!

aaa authentication login CONSOLE group {MyRadiusGroupForConsoleLogin} local-case

aaa authentication login VTY group {MyRadiusGroupForVtyLogin} local-case

aaa authentication enable default group {MyRadiusGroupForConsoleLogin} {MyRadiusGroupForVtyLogin} enable

!

line con 0

login authentication CONSOLE

exit

!

line vty 0 15

login authentication VTY

exit

asdad

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎06-15-2013 02:55 AM

Hello, I'd like to think of this as a much tidier way of configuring radius groups or tacacs groups. Although some people find it cumbersome.

You could specify the individual host, however I think this CLI will be depreciated soon. If you have more than one, it makes sense to put them in a group. Another reason would probably be for added resiliency.

What if one of them fails? then the next one in the group is attempted.

Also the later versions of IOS permit the use of IPv6 also, you are correct - it will be a replacement so syntax has changed in the command you mentioned when you use the old commands you may see:

This cli will be deprecated soon. Use new server cli

Reason being, Cisco introduced the commands in the later versions of IOS to replace the host commands:

radius server MYRADIUS

ip address ipv4 x.x.x.x

key xxxxxx

ip address ipv4 y.y.y.y

key yyyyyy

and also same for tacacs

tacacs server MYACS

ip address ipv4 x.x.x.x

key xxxxxx

ip address ipv4 y.y.y.y

key yyyyyy

instead of

radius server host x.x.x.x  key xxxxxxx

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
CSCO10675262_2
Level 1
Level 1
In response to Bilal Nawaz

‎06-16-2013 09:16 PM

Hi All,

Appreicate for the wonderful information. I was previously configuring 'aaa group server radius' for dot1x as pointed out by

asdad  when I came across the 'radius server group' reference which confused me as I was unable to find any documetation for it.

Thank you for the great information

0 Helpful
Customers Also Viewed These Support Documents