Radius Failover Configuration On Cisco Switch

edledge Cisco logo

Scenario
Switch
: Cisco 2960, 3650, etc
Server: Radius Server 2012, 2016, 2019
Description: Configuration of Two Radius Server on Cisco Switch for Radius Fail-over. This configuration is valid for other Cisco switches as well.

Step1: Configure aaa model on the switch to allow AAA
This is important to configure the aaa model on the switch to allow Radius to control Authentication, Authorization, and Accounting.

edledge-switch(config)#aaa new-model

Step2: Configure the aaa group and add both Radius Servers
Once aaa model is configured now we would need to configure the radius group of the Radius server.

Radius Server 1 - edledge-radius01

edledge-switch (config)#aaa group server radius EDL
edledge-switch (config-edledge-radius)# server name edledge-radius01
edledge-switch (config-edledge-radius)# deadtime 1
Radius Server 2 - edledge-radius02

edledge-switch (config)#aaa group server radius EDL
edledge-switch (config-edledge-radius)# server name edledge-radius02
edledge-switch (config-edledge-radius)# deadtime 1

Step3: Configure Authentication, Authorization & Accounting

edledge-switch (config)#aaa authentication login default local group EDL
edledge-switch (config)#aaa authentication dot1x default group EDL
edledge-switch (config)#aaa authorization network default group EDL
edledge-switch (config)#aaa accounting dot1x default start-stop group EDL

Step4: Now Configure Both Radius Server Details On the Switch

Radius Server 1 - edledge-radius01

edledge-switch (config)#radius server edledge-radius01
edledge-switch (config-radius-server)#address ipv4 10.1.11.11 auth-port 1812 acct-port 1813
edledge-switch (config-radius-server)# key edledge

Radius Server 2 - edledge-radius02

edledge-switch (config)#radius server edledge-radius02
edledge-switch (config-radius-server)#address ipv4 10.2.11.11 auth-port 1812 acct-port 1813
edledge-switch (config-radius-server)# key edledge

Save both keys,as same key will be used when this switch (host) will be added to the server.

Step5: Now check and ensure both Radius Servers are added to the Radius group EDL

aaa group server radius EDL
server name edledge-radius01
server name edledge-radius02
 deadtime 1

Now time to add a host (switch) to the server so that the Radius server starts authenticating hosts as per Radius Policies.

Step6: Login to Radius server and open Server Manager and then NPS

mstsc ==>Radius server ==> Server Manager ==> Network Policy Server

Step7: Add Host (Switch) to Radius Server 1

Right click on "Radius Clients" and then click "New"

Step8: Add host (Switch) to the Radius server

Name of the switch-edledge-switch
IP address of the switch - 10.1.1.1
Key - The same key we had used in Step 4 [edledge]



Press"OK"to save.

Step9: Repeat Step8 on Radius Server 2 to add host {switch} details on Radius Server 2

Step10: Ensure hostname with correct IP is now visible in the host file name of both Radius Servers {Radius Server 1 & Radius Server 2}

The switch is all for the test set and added to the Radius server. Make sure the switch is able to ping the Radius server and once Policies are added to the Server, we are good to go. Standalone Radius configuration on the Cisco switch for authentication is explained in the attached article.

Source: Cisco, Lab, Knowledge Base

EA00022

Leave a Reply

Your email address will not be published. Required fields are marked *