08-04-2010 06:03 AM - edited 03-06-2019 12:18 PM
Hello,
do know anybody why there is no possible to specify radius-server host on switch IOS as hostname? Even if there is correct DNS record running-conf line is changed to IP address. Are there any high-level arguments for suppresion this config possibilities? I would like to test GSS between authenticator (switch) and authentication servers (enforcer group).
Thanx in advance.
Radim
Solved! Go to Solution.
08-04-2010 01:37 PM
I believe some of it has to do with the fact that DNS takes time in and of itself, slowing down the authentication process when you first resolve the name, then direct packets to the IP. DNS is often slower and can take seconds to resolve, whereas the timeouts for RADIUS can often occur first.
A good way to get around this is to use anycast-like addressing (works well for UDP services). Several hosts with the same IP, most specific is the one that wins in any given case.
This doesn't work as well in a LAN, but you can at least specify several RADIUS hosts by IP for redundancy in that case.
08-04-2010 07:11 AM
Hi,
I guess the reason is security?
To prevent a possible DNS spoofing attack?
BR,
Milan
08-04-2010 01:37 PM
I believe some of it has to do with the fact that DNS takes time in and of itself, slowing down the authentication process when you first resolve the name, then direct packets to the IP. DNS is often slower and can take seconds to resolve, whereas the timeouts for RADIUS can often occur first.
A good way to get around this is to use anycast-like addressing (works well for UDP services). Several hosts with the same IP, most specific is the one that wins in any given case.
This doesn't work as well in a LAN, but you can at least specify several RADIUS hosts by IP for redundancy in that case.
08-06-2010 04:30 AM
Thanx both Milan and Tim for suggestion!
R.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: