Solved: Switch: radius-server host HOSTNAME problem

Radim Jurica · ‎08-04-2010

Hello,

do know anybody why there is no possible to specify radius-server host on switch IOS as hostname? Even if there is correct DNS record running-conf line is changed to IP address. Are there any high-level arguments for suppresion this config possibilities? I would like to test GSS between authenticator (switch) and authentication servers (enforcer group).

Thanx in advance.

Radim

tprendergast · ‎08-04-2010

I believe some of it has to do with the fact that DNS takes time in and of itself, slowing down the authentication process when you first resolve the name, then direct packets to the IP. DNS is often slower and can take seconds to resolve, whereas the timeouts for RADIUS can often occur first.

A good way to get around this is to use anycast-like addressing (works well for UDP services). Several hosts with the same IP, most specific is the one that wins in any given case.

This doesn't work as well in a LAN, but you can at least specify several RADIUS hosts by IP for redundancy in that case.

View solution in original post

milan.kulik · ‎08-04-2010

Hi,

I guess the reason is security?

To prevent a possible DNS spoofing attack?

BR,

Milan

tprendergast · ‎08-04-2010

I believe some of it has to do with the fact that DNS takes time in and of itself, slowing down the authentication process when you first resolve the name, then direct packets to the IP. DNS is often slower and can take seconds to resolve, whereas the timeouts for RADIUS can often occur first.

A good way to get around this is to use anycast-like addressing (works well for UDP services). Several hosts with the same IP, most specific is the one that wins in any given case.

This doesn't work as well in a LAN, but you can at least specify several RADIUS hosts by IP for redundancy in that case.

Radim Jurica · ‎08-06-2010

Thanx both Milan and Tim for suggestion!

R.