Radius authentication config question?

Answered Question
Apr 6th, 2010
User Badges:

Can anyone tell me what the difference is between adding the "server..." line and not adding it when doing Radius authentication?


aaa new-model
aaa group server radius ADMINS
server 172.23.16.20 auth-port 1645 acct-port 1646


Compared to:


aaa new-model
aaa group server radius ADMINS


2 different switches but RADIUS is working fine on both of them.  the second one does not have the "server...." line.


TIA

Correct Answer by Giuseppe Larosa about 7 years 2 months ago

Hello DPatten,


>> Radius servers are defined in the global config on both switches:

as it could be expected


you could refer to the radius group of server in AAA methods lists instead of using the individual servers


That's all !

see it as an additional level of abstraction that you can  use or not


you can check looking at aaa lines


sh run | inc aaa


see configuration guide

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_radius.html#wp1001168


section

Configuring AAA Server Groups


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Tue, 04/06/2010 - 11:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dpatten,

in first case a group of Radius servers is defined with one member that defined by the server line

multiple members could be defined in the group of server using other server ... lines


This does not forbide the use of older syntax to define a standalone radius server in global config.


I would expect second swich to have a radius server defined in global config and to use it for AAA


In other words in second switch it is  defined an empty group of RADIUS servers


I would check with

sh run | inc radius


to see this


otherwise some external entity should tell the ip address of an active Radius server but I'm not aware of this option




Hope to help

Giuseppe

dpatten78 Tue, 04/06/2010 - 11:20
User Badges:

Giuseppe


Radius servers are defined in the global config on both switches:


radius-server host 172.23.16.20 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
radius-server host 172.23.16.22 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx


So if I don't have any specified in the aaa but do have them specified in the global config it obviously works fine.  If I specifically put them in the aaa group it will use only the ones I specify?

Correct Answer
Giuseppe Larosa Tue, 04/06/2010 - 12:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello DPatten,


>> Radius servers are defined in the global config on both switches:

as it could be expected


you could refer to the radius group of server in AAA methods lists instead of using the individual servers


That's all !

see it as an additional level of abstraction that you can  use or not


you can check looking at aaa lines


sh run | inc aaa


see configuration guide

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_radius.html#wp1001168


section

Configuring AAA Server Groups


Hope to help

Giuseppe

Actions

This Discussion