cancel
Showing results for 
Search instead for 
Did you mean: 

NAC authentication and mgmt authentication with the same radius servers

NAC authentication and mgmt authentication with the same radius servers

JohanHendrikx
Contributor II
In my test environment I have a switch (X440G2 22.7.1.2) configured for NAC with two radius servers.

In the AAA configuration I see two netlogin radius entry’s and the radius mgmt.-access is disabled and the policy works fine.

As expansion on the configuration I want also that management requests are done by the radius servers.
So I configure the same radius server as for authentication .

Now I see in the AAA configuration that the netlogin rules are replaced by mgmt.-access rules and that the radius netlogin is disabled.

Cann’t I use the same radius servers for mgmt. as for authentication?
Johan Hendrik System Architect Audax
1 ACCEPTED SOLUTION

JohanHendrikx
Contributor II
Ryan,

I will test it
Johan Hendrik System Architect Audax

View solution in original post

7 REPLIES 7

JohanHendrikx
Contributor II
Ryan,

it works.

Thanks for your support.
Johan Hendrik System Architect Audax

JohanHendrikx
Contributor II
Ryan,

I will test it
Johan Hendrik System Architect Audax

Ryan_Yacobucci
Extreme Employee
Hello,

Remove the "Management RADIUS server" and "Management RADIUS server 2" servers. Set them to none.

If you identify Primary Engine and Secondary Engine as the NAC appliances you only need to set the "Auth Access Type" to any. This will identify them to be used for netlogin and mgmt access and configure the switch accordingly.

That should configure the AAA to use the NAC appliances for both netlogin and mgmt login.

Thanks
-Ryan

JohanHendrikx
Contributor II
I'm refering to th switch configuration of the AAA section.

At the moment I configure the management radius the config of the primairy and secondary engin are gone.

Config exaples:

Switch is configured for only primairy and secondary engins.

configure radius 1 server 1812 client-ip vr VR-Default
configure radius 1 shared-secret encrypted "#$QHoAV1JRHL25Psky9286ihA/eQb5twIipuhGzDsLDrL3fId9ua4zlQA6tElrf8XmjmCsk55g"
configure radius 2 server 1812 client-ip vr VR-Default
configure radius 2 shared-secret encrypted "#$3YuouBFWEkEJ3aeHDxVM+YcELVg0sPdr67z3lZouVh/r+QyCfaG/bfQ7GI1MPpu/X5ed7Xc1"
configure radius-accounting 1 server 10.2.112.2 1813 client-ip 10.2.112.209 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$qdZB1R6z+Up25O4vjfhESlE3MvJhBdSaOdCuaG/stlu6uNlfXpNJbAdUMTFwdifnKnPlmCFc"
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 10.2.113.2 1813 client-ip 10.2.112.209 vr VR-Default
configure radius-accounting 2 shared-secret encrypted "#$6ygkfu3I9oANOxxLOXakeFXo1/6A38wnFhe1gWuENAqkCzjZI158UJ/UNs3XviNa0DnZ/Xrw"
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin

Switch is configured for the both engins and both management radius:

configure radius mgmt-access 1 server 1812 client-ip vr VR-Default
configure radius 1 shared-secret encrypted "#$fipO29phKcl+o6SgtbPEZ6unyZrmd6sZ+nT58kRLJJFVq1lx0QXIXO5QyxHrm5y6rzWgp7H6"
configure radius mgmt-access 2 server 1812 client-ip vr VR-Default
configure radius 2 shared-secret encrypted "#$la/QbhlmQf2p7xkkNHgaE2pR9SWjFaQ7cGCbBbr3BueEieI5Iy65o7XwAqNXx2DLlECTwJBp"
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin

7137611bf09c433d96c297421c15aa70_e0b74740-2846-436a-8c2e-2674d2e481d7.jpg

Johan Hendrik System Architect Audax
GTM-P2G8KFN