Wired Intelligent Edge

Hello Folks, 

I have a switch that point to 3 clearpass servers, 

wanted to know if there is a way to make an order list for radius servers, 

means: 

- Switch to send auth request to cppm01 first

- If cppm03 isn't reachable send auth request to cppm02

- if cppm01 isn't reachable send auth request to cppm03

right now it looks like the switch is doing cppm02 > cppm01 > cppm03

 

switch model: 2620 / RA.16.01

 

The switch supports authentication and accounting using up to 15 RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius. If the first server does not respond, the switch tries the next one, and so-on.

 

See page 237 to change the RADIUS auth priority.

 

Access Security Guide for ArubaOS 

 

When you add a server IP address, it is placed in the highest empty position in the list. 

Hello Craig, 

I had access to switch recently, and below "show radius"

 

SWAC1B# show radius

Status and Counters - General RADIUS Information

Deadtime (minutes) : 0
Timeout (seconds) : 5
Retransmit Attempts : 3
Global Encryption Key : <Encry Key>
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Source IPv6 Selection : Outgoing Interface
Tracking : Disabled

Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key
--------------- ----- ----- --- ------ + --------------------------------
172.16.32.12 1812 1813 Yes 0 | <Encry Key>
172.16.32.11 1812 1813 Yes 0 | <Encry Key>
172.16.32.10 1812 1813 Yes 0 | <Encry Key> 

That means, the auth request will be sent in this order in case of cppms reachability issue: '32.12' > '32.11' > '32.10'  right? 

And in case I need to change this order, do I need to do 

no radius-server host <IP>  and re-add it so it will be placed in first place?

 

Thanks!

 

That is correct, it will work from the top (highest) to bottom (lowest).

Adding or deleting a RADIUS server IP address leaves an empty position, but does not change the position of any other server addresses in the list. For example if you initially configure three server addresses, they are listed in the order in which you entered them.

 

However, if you subsequently remove for example 172.16.32.11 in the list and add a server address, the new address will be placed second in the list (where 172.16.32.11 was previously).

Got it! i'll proceed that way then, 

 

I have other question regarding the unauth-vid, i wanted to use this option when the cppm isn't not reachable from the switch 

below port configuration: 

Ports Configuration:
aaa port-access authenticator active
aaa port-access authenticator x-y client-limit 10
aaa port-access authenticator x-y unauth-vid 33
aaa port-access mac-based x-y
aaa port-access mac-based x-y addr-limit 10
aaa port-access mac-based x-y unauth-vid 32
aaa port-access authenticator x-y
aaa port-access authenticator x-y supplicant-timeout 10
aaa port-access authenticator x-y tx-period 10

 

based on this setup, i wanted to confirm if: when cppm isn't not reachable:

802.1x users (exemple: windows PC) will be assigned to vlan 33

and MAC-auth device (phones, APs, printers) will be assigned to vlan 32, and how to tell switch this vlan 32 is a tagged vlan ? 

 

thank you

 

In addition one thing i want to make sure, is unauth-vid will take effect ONLY IF radius server isn't not reachable and not if device/client failed to authenticate.