Security

I was just configuring   master  and master stand by redundancy for a client

I was configuring the 802.1x

My virtual ip address is 192.168.10.10

Master 192.168.10.11

Master Standby 192.168.10.12

 

On the NPS i had on the radius client i had 192.168.10.10 for the WC i mean the virtual ip of the master and master standby

and well that didnt work... the controller was telling me that he could not find the aaa server.

 

I had to put 2 radius clients 192.168.10.11 and 192.168.10.12

 

Is this the correct way to do it?  or i should use the virtual ip address? if i should use the virtual ip address is there is something im missing?

 

Cheers

Carlos

 

What do you have for the show ip radius 

 

(controller) #show ip radius nas-ip

RADIUS client NAS IP address = x.x.x.x

 

(controller) #show ip radius source-interface

Global radius client source IP address = x.x.x.x
Per-server client source IPv4 addresses:

show ip radius nas-ip

RADIUS client NAS IP address = 192.168.10.10

(WC_Parlatino) #show ip radius source-interface

Global radius client source IP address = 0.0.0.0
Per-server client source IPv4 addresses:

The default is delivering the mgmt interface as nas ip. Add the other nodes on the microsoft NAP server as clients. Add all nodes with different community strings. Make the strings REALLY strong.

 

Reg.

Peet

 

When you mean nodes do you mean the real ip addresses of the controllers? the master and the master stand by?

 

Cheers

Carlos

Ye. Not the virtual loopback. Real Ip, that is if your running with the default radius server config.

 You could specify what interface the package sould originate from. Just add both nodes with controller ip (or the originating vlan ip) to the NPS server.

 

Dont know where your located but here its the middle of the night. il respond in 4 hours if you got some more questions.

 

I already configured it that way

My question was if it was the correct way to configure it, or i should configure it in another way! :)

 

Cheers

Carlos

yes. thats correct. There is ofcourse alot to think about when configuring 802.1x but your configuration so far is correct. Reg, Peet

 

I will suggest using the IP address your APs are not using to contact the controller , so if you have VRRP VIP and your APs use that to contact the controller I will use either the management VLAN IP address or the loopback for the radius source ip address.

Only thing to thinkabout is keeping the Radius requests in a backend LAN so they cant be captured.

Theres a weak cypher on the radius package that can be easely bruteforced. And deactivate the PAP \ mschap on the radius server. only use the mschapv2 nothing less than this. eaventho this also is weak.

Thank you very much, just wanted to be sure, what i was doing is the correct thing to do.

It would be nice if that scenario was added to the redundandy VRD.

 

Cheers

Carlos