Security

Reply
Occasional Contributor II

Confused on why I have to specify my radius server twice in Cisco config?

I'm looking at my configs I've built for our Cisco switches we use with CPPM and I'm confused as why I have to specify my radius server twice?

 

We start out with:

 

(config)#radius server Aruba-CPPM
(config-radius-server)#address ipv4 10.1.2.3
(config-radius-server)#key secretkey

 

Then later on I specify it again as a dynamic-author:

 

(config)# aaa server radius dynamic-author
(config-locsvr-da-radius)#client 10.1.2.3 server-key secretkey

(config-locsvr-da-radius)#client 10.1.2.4 server-key secretkey

 

 

Are these doing two different things or am I putting in redundant code?

Guru Elite

Re: Confused on why I have to specify my radius server twice in Cisco config?

One is defining ClearPass as a RADIUS server (for client authentication).

The second is defining ClearPass as a RADIUS client (for RFC5176).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Confused on why I have to specify my radius server twice in Cisco config?

So basically if 10.1.2.3 goes down, I'm kinda screwed since nobody would be able to auth right? 

 

I should change that to a group and use a server group would be a better practice? 

Guru Elite

Re: Confused on why I have to specify my radius server twice in Cisco config?

Yes. Defining all RADIUS servers is a good idea.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Confused on why I have to specify my radius server twice in Cisco config?

and I guess it's a good idea to have all my radius servers listed under the dynamic-authors too righ? 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: