Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Radius authentication config question?

Can anyone tell me what the difference is between adding the "server..." line and not adding it when doing Radius authentication?

aaa new-model
aaa group server radius ADMINS
server 172.23.16.20 auth-port 1645 acct-port 1646

Compared to:

aaa new-model
aaa group server radius ADMINS

2 different switches but RADIUS is working fine on both of them.  the second one does not have the "server...." line.


TIA

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Radius authentication config question?

Hello DPatten,

>> Radius servers are defined in the global config on both switches:

as it could be expected

you could refer to the radius group of server in AAA methods lists instead of using the individual servers

That's all !

see it as an additional level of abstraction that you can  use or not

you can check looking at aaa lines

sh run | inc aaa

see configuration guide

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_radius.html#wp1001168

section

Configuring AAA Server Groups

Hope to help

Giuseppe

3 REPLIES
Hall of Fame Super Silver

Re: Radius authentication config question?

Hello Dpatten,

in first case a group of Radius servers is defined with one member that defined by the server line

multiple members could be defined in the group of server using other server ... lines

This does not forbide the use of older syntax to define a standalone radius server in global config.

I would expect second swich to have a radius server defined in global config and to use it for AAA

In other words in second switch it is  defined an empty group of RADIUS servers

I would check with

sh run | inc radius

to see this

otherwise some external entity should tell the ip address of an active Radius server but I'm not aware of this option

Hope to help

Giuseppe

New Member

Re: Radius authentication config question?

Giuseppe

Radius servers are defined in the global config on both switches:

radius-server host 172.23.16.20 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx
radius-server host 172.23.16.22 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxx

So if I don't have any specified in the aaa but do have them specified in the global config it obviously works fine.  If I specifically put them in the aaa group it will use only the ones I specify?

Hall of Fame Super Silver

Re: Radius authentication config question?

Hello DPatten,

>> Radius servers are defined in the global config on both switches:

as it could be expected

you could refer to the radius group of server in AAA methods lists instead of using the individual servers

That's all !

see it as an additional level of abstraction that you can  use or not

you can check looking at aaa lines

sh run | inc aaa

see configuration guide

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_radius.html#wp1001168

section

Configuring AAA Server Groups

Hope to help

Giuseppe

635
Views
0
Helpful
3
Replies
CreatePlease to create content