Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Frequent Contributor II

Radius server list - Arubaos switch

Hello Folks, 

I have a switch that point to 3 clearpass servers, 

wanted to know if there is a way to make an order list for radius servers, 

means: 

- Switch to send auth request to cppm01 first

- If cppm03 isn't reachable send auth request to cppm02

- if cppm01 isn't reachable send auth request to cppm03

right now it looks like the switch is doing cppm02 > cppm01 > cppm03

 

switch model: 2620 / RA.16.01

 

Highlighted
MVP Guru

Re: Radius server list - Arubaos switch

The switch supports authentication and accounting using up to 15 RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius. If the first server does not respond, the switch tries the next one, and so-on.

 

See page 237 to change the RADIUS auth priority.

 

Access Security Guide for ArubaOS 

 

When you add a server IP address, it is placed in the highest empty position in the list. 


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Frequent Contributor II

Re: Radius server list - Arubaos switch

Hello Craig, 

I had access to switch recently, and below "show radius"

 

SWAC1B# show radius

Status and Counters - General RADIUS Information

Deadtime (minutes) : 0
Timeout (seconds) : 5
Retransmit Attempts : 3
Global Encryption Key : <Encry Key>
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Source IPv6 Selection : Outgoing Interface
Tracking : Disabled

Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key
--------------- ----- ----- --- ------ + --------------------------------
172.16.32.12 1812 1813 Yes 0 | <Encry Key>
172.16.32.11 1812 1813 Yes 0 | <Encry Key>
172.16.32.10 1812 1813 Yes 0 | <Encry Key> 

That means, the auth request will be sent in this order in case of cppms reachability issue: '32.12' > '32.11' > '32.10'  right? 

And in case I need to change this order, do I need to do 

no radius-server host <IP>  and re-add it so it will be placed in first place?

 

Thanks!

 

Highlighted
MVP Guru

Re: Radius server list - Arubaos switch

That is correct, it will work from the top (highest) to bottom (lowest).


Adding or deleting a RADIUS server IP address leaves an empty position, but does not change the position of any other server addresses in the list. For example if you initially configure three server addresses, they are listed in the order in which you entered them.

 

However, if you subsequently remove for example 172.16.32.11 in the list and add a server address, the new address will be placed second in the list (where 172.16.32.11 was previously).


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Highlighted
Frequent Contributor II

Re: Radius server list - Arubaos switch

Got it! i'll proceed that way then, 

 

I have other question regarding the unauth-vid, i wanted to use this option when the cppm isn't not reachable from the switch 

below port configuration: 

Ports Configuration:
aaa port-access authenticator active
aaa port-access authenticator x-y client-limit 10
aaa port-access authenticator x-y unauth-vid 33
aaa port-access mac-based x-y
aaa port-access mac-based x-y addr-limit 10
aaa port-access mac-based x-y unauth-vid 32
aaa port-access authenticator x-y
aaa port-access authenticator x-y supplicant-timeout 10
aaa port-access authenticator x-y tx-period 10

 

based on this setup, i wanted to confirm if: when cppm isn't not reachable:

802.1x users (exemple: windows PC) will be assigned to vlan 33

and MAC-auth device (phones, APs, printers) will be assigned to vlan 32, and how to tell switch this vlan 32 is a tagged vlan ? 

 

thank you

 

Highlighted
Frequent Contributor II

Re: Radius server list - Arubaos switch

In addition one thing i want to make sure, is unauth-vid will take effect ONLY IF radius server isn't not reachable and not if device/client failed to authenticate.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: