Re: 9800 - Radius server priority, automate-tester and CoA

Slabre · ‎02-01-2022

Hello,

We have multiple 9800 and EWC and we are looking for the best RADIUS configuration.

1. How to configure Radius server priority ?

In legacy AireOS WLCs we had the possibility to choose the priority order of our servers.

With 9800 and EWC I didn't find the possibility to do it. We don't want to load-balance between our servers from WLCs.

How can we do it ?

2. What's the goal of "automate-tester" command ?

When we add RADIUS Server via GUI, our RADIUS servers are automatically configured with this "automate-tester" command :

radius server RADIUS_FR
 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
 key 7 XXXXXXXXXXXXXX
 automate-tester username XXX

As I can read here and there it is used for dead-server detection. But for that in the 9800 Config Guide, Cisco recommend the following config : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_aaa_dead_server_detection.html

Then from my point of view this "automate-tester" command is useless if we configure the dead-server detection as per 9800 Guide recommandation.

3. Do we have to enable Radius CoA ?

If I check on ISE > Work Centers > Profiler > Settings, it is configured on "No CoA", which means we don't use this feature. Do we agree that it is useless (for now, today) to configure RADIUS CoA on our WLC with the following commands ?

aaa server radius dynamic-author
 client 10.1.1.1 server-key 7 XXXXXX
 client 10.1.1.2 server-key 7 XXXXXX

I don't think we will have bidriectional CoA RADIUS communication if there is no CoA sent by ISE Servers.

Thank you.

Slabre · ‎02-04-2022

Does anyone know how to help me, please ?

Scott Fella · ‎02-04-2022

@Slabre wrote:

Hello,

We have multiple 9800 and EWC and we are looking for the best RADIUS configuration.

1. How to configure Radius server priority ?

In legacy AireOS WLCs we had the possibility to choose the priority order of our servers.

With 9800 and EWC I didn't find the possibility to do it. We don't want to load-balance between our servers from WLCs.

How can we do it ?

This is the same for any IOS device, you basically define the servers and create a server group. This is not AireOS, so there is no primary/secondary/tertiary setting.

2. What's the goal of "automate-tester" command ?

When we add RADIUS Server via GUI, our RADIUS servers are automatically configured with this "automate-tester" command :
radius server RADIUS_FR
 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
 key 7 XXXXXXXXXXXXXX
 automate-tester username XXX
As I can read here and there it is used for dead-server detection. But for that in the 9800 Config Guide, Cisco recommend the following config : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_aaa_dead_server_detection.html

Then from my point of view this "automate-tester" command is useless if we configure the dead-server detection as per 9800 Guide recommandation.

I don't use that personally. Too much noise on my ISE logs:)

3. Do we have to enable Radius CoA ?

If I check on ISE > Work Centers > Profiler > Settings, it is configured on "No CoA", which means we don't use this feature. Do we agree that it is useless (for now, today) to configure RADIUS CoA on our WLC with the following commands ?
aaa server radius dynamic-author
 client 10.1.1.1 server-key 7 XXXXXX
 client 10.1.1.2 server-key 7 XXXXXX
I don't think we will have bidriectional CoA RADIUS communication if there is no CoA sent by ISE Servers.

This is another item that I don't current'y use either. As long as your ISE is working the way you have it, don't start enabling features... this is the same for wireless. Too many features makes it harder to figure out things when something breaks.

Thank you.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-04-2022

To to add... the best radius configuration is the simplest one that meets your requirements and security requirements.

-Scott
*** Please rate helpful posts ***

Slabre · ‎02-04-2022

Hello @Scott Fella, thank you for your replies !

1) I agree but like if we define different ISE Servers from different locations (Europe, USA, APAC...), then I want Europe ISE to be chosen for devices in Europe for example, you agree right ?

I saw this page and video days ago : https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/200403-AAA-Server-Priority-explained-with-new-R.html

But unfortunately this doesn't work as expected on our 9800/EWC (I just checked some of them) :

We have our AAA radius group configured with these servers in this order for example : ISE_EU1, ISE_US1, ISE_EU2
And when we check the priorities with "show aaa servers", then we have : ISE_EU1 Priority 1, ISE_EU2 Priority 2, ISE_US1 Priority 3.

THen it just looks like it is completly random. I can't believe there is no way to make a priority order of AAA servers... if not this feature should be implemented very quickly, isn't it ?

2) and 3) Thank you for your feedbacks, appreciate !

Scott Fella · ‎02-04-2022

I think its more or of how IOS defines AAA because this would be the same with switches using radius and tacacs. The feature would then be for all IOX-XE devices, but it won't hurt to reach out to your Cisco reps and ask for a feature request.
What you should look at is how the radius was define when you issue a show run | sec radius server. Seemed like I was able to define the priority by changing the order of the servers listed.

-Scott
*** Please rate helpful posts ***

StephanBretonCNS · ‎02-07-2022

(sorry this is my second account)

Well I would love that it works like it should. I agree with you, we should be able to definthe priority by changing the order of the servers listed.

But look at this : I have this configuration on a 9800 with 17.3.4c IOS :

aaa group server radius ISE
 server name FR
 server name FR2
 server name US
 load-balance method least-outstanding batch-size 5

And then when I issue "show aaa servers" :

RADIUS: id 1, priority 1, host 10.1.1.3, auth-port 1812, acct-port 1813, hostname US
-----
RADIUS: id 2, priority 2, host 10.1.1.1, auth-port 1812, acct-port 1813, hostname FR
-----
RADIUS: id 3, priority 3, host 10.1.1.2, auth-port 1812, acct-port 1813, hostname FR2

I mean, that's non-sense, right ? Am I only one to have this bug ?

Scott Fella · ‎02-07-2022

Have you removed the group and added it back? Anyway's, that would be temporary if one of the server is marked dead. that is where your dead timer would help. I don't know if that is a bug, other than a feature request. AireOS had that feature, but the 9800 isn't AireOS as far as parity.

Take a look here also:

Security Configuration Guide, Cisco IOS XE Cupertino 17.7.x (Catalyst 9300 Switches) - Configuring RADIUS [Support] - Cisco

sec-rad-aaa-server-groups.pdf (cisco.com)

"The RADIUS host entries are tried in the order in which they are configured."

-Scott
*** Please rate helpful posts ***

KelvinT · ‎06-01-2022

Hi Slabre,

2. What's the goal of "automate-tester" command ?

When we add RADIUS Server via GUI, our RADIUS servers are automatically configured with this "automate-tester" command :

radius server RADIUS_FR
 address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
 key 7 XXXXXXXXXXXXXX
 automate-tester username XXX

As I can read here and there it is used for dead-server detection. But for that in the 9800 Config Guide, Cisco recommend the following config : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_aaa_dead_server_detection.html

Then from my point of view this "automate-tester" command is useless if we configure the dead-server detection as per 9800 Guide recommandation.

#### My Response ####

According to the conversation below automate-tester prevents the yo-yo affect. I.e. radius server DEAD...ALIVE....DEAD....when it is actually down.

https://community.cisco.com/t5/network-access-control/not-able-to-configure-automate-tester-with-idle-time-and-probe/td-p/3791310

#######################

3. Do we have to enable Radius CoA ?

If I check on ISE > Work Centers > Profiler > Settings, it is configured on "No CoA", which means we don't use this feature. Do we agree that it is useless (for now, today) to configure RADIUS CoA on our WLC with the following commands ?

aaa server radius dynamic-author
 client 10.1.1.1 server-key 7 XXXXXX
 client 10.1.1.2 server-key 7 XXXXXX

I don't think we will have bidriectional CoA RADIUS communication if there is no CoA sent by ISE Servers.

#### My Response #####

If you are doing profiling and you are configuring your Authz policy with a catch-all limited access (dns, dhcp, ISE PSN) in order to allow ISE to get network traffic info to profile....then you might want to consider enabling COA/re-auth on ISE.

Also, if you are considering integrating ISE with you vulnerability scan, AV/AM, AMP for endpoint, Stealthwatch....then you will need CoA enabled.

Both allow ISE (authentication Server) to send authorization change to the NAD (authenticator) after and endpoint/enduser had previously authc successfully and authz.

########################

Hope this helps!

Thanks