Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
5
Helpful
2
Replies

How can I use a hostname for Radius and TACACS servers?

Arne Bier
VIP
VIP

‎10-08-2017 05:45 PM - edited ‎07-05-2021 07:43 AM

Hello

I have a Cisco 2504/3504 controller running 8.2.151 code and my customer asked me whether we could create Radius and TACACS server entries using DNS hostname instead.  Currently we create separate Radius Authentication and Accounting Servers and those only allow IPv4 addreses to be specified.

There is a DNS sub-menu option under Radius and TACACS but its use is unclear to me.  No matter which way I try configuring it, it doesn't have the outcome I want, because it appears to be a global configuration that somehow applies to the entire Radius or TACACS section?  I don't understand what its purpose is - does it compliment the Server Index stuff, or is it mutually exclusive?  If the latter, then it's of no use to me because it's far too restrictive.

I want to be able to configure multiple Radius and TACACS servers, but with unique AAA server hostnames.  Basically, instead of being forced to enter an IPv4 I want to be able to enter a hostname.  And then the question is also, will the WLC honour the TTL of the DNS response?

I can do all this on my Aruba Wireless controllers.

Appreciate your feedback

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎10-08-2017 08:42 PM

Hello Arne,

 I´ve seen environment with two option:

-List of server configured statically on the WLC and with RADIUS Fallback, passive or Active. If WLC loses communication with the primary server, it will look after another server on the list.

- Point to a Load Balance and distribute RADIUS servers behind Load Balance.

About some question you made:

 

-because it appears to be a global configuration that somehow applies to the entire Radius or TACACS section?  

 That´s what I understand as well.

 

 - does it compliment the Server Index stuff, or is it mutually exclusive?

 

For this question I´d say that DNS overrides static list, as we can see below. If you have a list of static RADIUS and DNS sub-menu, then, DNS will take place.

 

"The Cisco WLC also runs the query if you manually change the DNS server list, or if one of the servers timeouts. As the DNS list overrides the static list, all manual AAA configurations on the WLAN will stop functioning as soon as the global server list gets populated from the DNS server. DNS AAA is also valid for FlexConnect AP clients using central authentication."

 

Basically, instead of being forced to enter an IPv4 I want to be able to enter a hostname.

  This is what DNS on the WLC is used for. I understand that this option will accomplish what you intend to do.

 

About the TTL, I went through the Cisco doc and I did not find reference to TTL.

Only this information is found:

"The DNS server is queried at regular intervals for updates."

 

 

Arne Bier
VIP
VIP
In response to Flavio Miranda

‎10-09-2017 06:05 PM

Hi Flavio

 

thanks for the detailed answer.  The drawback I see with a global AAA hostname for the WLC is that I can no longer configure a AAA server per SSID.  This is helpful in migration scenarios, where I can migrate one SSID at a time to the new AAA platform.  I am just curious why Cisco chose this route, rather than doing the obvious thing, which is to allow IPv4/6/hostname in the AAA server field (like Aruba has done).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card