Radius Failover Configuration On Cisco Switch

edledge Cisco logo

Scenario
Switch
: Cisco 2960, 3650, etc
Server: Radius Server 2012, 2016, 2019
Description: In this article we we will discuss a stepwise method of configure of Two Radius Servers on the Cisco Switch for Radius Failover. This configuration is valid for other Cisco switches as well.

Configuration on Switch

Step1: Configure aaa model
This is important to configure the aaa model on the switch to allow Radius to control Authentication, Authorization, and Accounting.

edledge-switch(config)#aaa new-model

Step2: Configure the aaa group
Once aaa model is configured now we would need to configure the radius group of the Radius server. Add both radius servers on the switch.

Radius Server 1 - edledge-radius01

edledge-switch (config)#aaa group server radius EDL
edledge-switch (config-edledge-radius)# server name edledge-radius01
edledge-switch (config-edledge-radius)# deadtime 1
Radius Server 2 - edledge-radius02

edledge-switch (config)#aaa group server radius EDL
edledge-switch (config-edledge-radius)# server name edledge-radius02
edledge-switch (config-edledge-radius)# deadtime 1

Step3: Configure Authentication, Authorization & Accounting
Configure AAA as shown below

edledge-switch (config)#aaa authentication login default local group EDL
edledge-switch (config)#aaa authentication dot1x default group EDL
edledge-switch (config)#aaa authorization network default group EDL
edledge-switch (config)#aaa accounting dot1x default start-stop group EDL
[ays_quiz id=”14″]

Step4: Radius Server Details
Now configure both radius server details on the switch. Execute the command as shown below.

Radius Server 1 - edledge-radius01

edledge-switch (config)#radius server edledge-radius01
edledge-switch (config-radius-server)#address ipv4 10.1.11.11 auth-port 1812 acct-port 1813
edledge-switch (config-radius-server)# key edledge

Radius Server 2 - edledge-radius02

edledge-switch (config)#radius server edledge-radius02
edledge-switch (config-radius-server)#address ipv4 10.2.11.11 auth-port 1812 acct-port 1813
edledge-switch (config-radius-server)# key edledge

Save both keys,as same key will be used when this switch (host) will be added to the server.

Step5: Radius Servers Status
Now check and ensure both Radius Servers are added to the Radius group EDL

aaa group server radius EDL
server name edledge-radius01
server name edledge-radius02
 deadtime 1

Now time to add a host (switch) to the server so that the Radius server starts authenticating hosts as per Radius Policies.

Configuration on Radius Server

Step6: Radius Server
Login to Radius server and open Server Manager and then NPS

mstsc ==>Radius server ==> Server Manager ==> Network Policy Server

Step7: Adding Host
Add host i.e. Switch to Radius Server 1 as shown below.

Right click on "Radius Clients" and then click "New"

Step8: Add host details
Add host details i.e. Switch to the Radius server as shown below.

Name of the switch-edledge-switch
IP address of the switch - 10.1.1.1
Key - The same key we had used in Step 4 [edledge]



Press"OK"to save.

Step9: Repeat Step8 on Radius Server 2 to add host {switch} details on Radius Server 2

Step10: Confirmation
Ensure hostname with correct IP is now visible in the host file name of both Radius Servers {Radius Server 1 & Radius Server 2}

The switch is all for the test set and added to the Radius server. Make sure the switch is able to ping the Radius server and once Policies are added to the Server, we are good to go. Standalone Radius configuration on the Cisco switch for authentication is explained in the attached article.

Other Important Topics

Source: Cisco, Lab, Knowledge Base

EA00022

Leave a Reply

Your email address will not be published. Required fields are marked *