01-19-2014 08:20 AM - edited 07-05-2021 12:00 AM
I have been trying to configure a primary and secondary radius servers for a specific authentication method, in this case EAP, I have been reaserching about some configuration example unsuccesfully.
I am wondering if the following command will work as intended by me:
#aaa authentication login eap_methods group loc_eap group rad_eap
From this command I think that the AP will go and search the login credentials on his local radius server (loc_eap) and if those credentials are not found the AP will go and search the credentials on the remote radius (rad_eap).
Is that correct? if not, how could I make it?
01-19-2014 08:29 AM
From what I know, the second method is only used if the primary isn't reachable. If the primary is reachable, that radius will send a reject and the auth with fail. It will not try the second method after the first has sent and accept or reject.
Sent from Cisco Technical Support iPhone App
01-19-2014 08:32 AM
What usually you can do if your radius is ACS or ISE is use identity sequence. So you can specify AD as the primary and then local (on radius) as backup or vice versa. Then create a local in the AP if the radius isn't available.
Sent from Cisco Technical Support iPhone App
01-19-2014 04:00 PM
Hi Robin,
Regarding the below query
From this command I think that the AP will go and search the login credentials on his local radius server (loc_eap) and if those credentials are not found the AP will go and search the credentials on the remote radius (rad_eap).
Is that correct? if not, how could I make it?
Scott is right here, if your user credential not found in the first listed method you will get access reject. It will only go to the other authentication methods only if the first one fails to respond.
"A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted."
Ref:
HTH
Rasika
**** Pls rate all useful responses ****
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: