Wired Intelligent Edge

Hi, this may be a daft question but I'm looking for confirmation and maybe some example config snippets.

Can I use RADIUS both for login to the CLI/WebGUI (management) and also at the same time use another RADIUS server for 1x port-authentication? All in one switch config.

I would believe it boils down to the commands

aaa authentication login and

aaa authentication port-access, but how can I associate the respective functions to separate RADIUS servers?

The way someone configured it a long time ago in my environment is to use TACACS for one and RADIUS for the other but I'm thinking there is a way to accomplish this using only RADIUS.

Hi Borgsquirrel,

sure this is possible. You would create different radius servers within your config like this:

radius-server host 10.104.104.41 key "aruba123"

Do this for all your radius servers. 

Afterward, you should group them together, at least whose wit the same function like this:

aaa server-group radius "CPPM" host 10.104.104.41

you can now use them in your config for all kinds of configurations like dot1x:

aaa authentication port-access eap-radius server-group CPPM

and for cli access like this:

aaa authentication ssh login radius server-group CPPM1

Doing so, you can configure a different radius server group for each access method the switch offers. 

hope this helps. 

BR

Florian

Thanks Florian! That was kind of how I thought it would be, very good! Have a nice weekend!