Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Autonomous AP with two radius groups.

I have been trying to configure a primary and secondary radius servers for a specific authentication method, in this case EAP, I have been reaserching about some configuration example unsuccesfully.

I am wondering if the following command will work as intended by me:

#aaa authentication login eap_methods group loc_eap group rad_eap

From this command I think that the AP will go and search the login credentials on his local radius server (loc_eap) and if those credentials are not found the AP will go and search the credentials on the remote radius (rad_eap).

Is that correct? if not, how could I make it?

3 REPLIES
Hall of Fame Super Silver

Re: Autonomous AP with two radius groups.

From what I know, the second method is only used if the primary isn't reachable. If the primary is reachable, that radius will send a reject and the auth with fail. It will not try the second method after the first has sent and accept or reject.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Autonomous AP with two radius groups.

What usually you can do if your radius is ACS or ISE is use identity sequence. So you can specify AD as the primary and then local (on radius) as backup or vice versa. Then create a local in the AP if the radius isn't available.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: Autonomous AP with two radius groups.

Hi Robin,

Regarding the below query

From this command I think that the AP will go and search the login credentials on his local radius server (loc_eap) and if those credentials are not found the AP will go and search the credentials on the remote radius (rad_eap).

Is that correct? if not, how could I make it?

Scott is right here, if your user credential not found  in the first listed method you will get access reject. It will only go to the other authentication methods only if the first one fails to respond.

"A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted."

Ref:

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap13-radius-tacacs.html

HTH

Rasika

**** Pls rate all useful responses ****

124
Views
0
Helpful
3
Replies
CreatePlease to create content