Latest

How to Configure RADIUS Authentication on Cisco Viptela vEdge/cEdge devices

 Today I am going to talk about the RADIUS and TACACS+ Authentication configuration on the Cisco vEdges/cEdges devices. We will talk about RADIUS Authentication first and then we will talk about TACACS+ Authentication in our next article. 

Configure RADIUS Authentication
For RADIUS Server we need its IP address and a password or key. we can specify the key as a clear text string up to 32 characters long or as an AES 128-bit encrypted key. The local device passes the key to the RADIUS server. 

Fig 1.1- Cisco vManage Auth Console

The password must match the one used on the server. To configure more than one RADIUS server, include the server and secret-key commands for each server.

RADIUS SERVER Priority
We can also set the priority of a RADIUS server among multiple RADIUS servers. The priority can be a value from 0 through 7. A server with a lower priority number is given priority over one with a higher number.

RADIUS Server Ports
By default, the Cisco vEdge/cEdge device uses port 1812 for authentication connections to the RADIUS server and port 1813 for accounting connections. To change these port numbers, use the auth-port and acct-port commands. If the RADIUS server is reachable via a specific interface, configure that interface with the source-interface command.

Make sure you configure the Server VPN number if the vEdge/cEdge is in different VPN than the RADIUS Server. If you configure multiple RADIUS servers, they must all be in the same VPN.

When a vEdge/cEdge device is trying to locate a RADIUS server, it goes through the list of servers three times. To change this, use the retransmit command, setting the number to a value from 1 to 1000:

When waiting for a reply from the RADIUS server, a Viptela device waits 3 seconds before retransmitting its request. To change this time interval, use the timeout command, setting a value from 1 to 1000 seconds:

On Cisco ISE, you need to put the policy in place for RADIUS server

Fig 1.2- Cisco ISE AUTH Profile

You can tag RADIUS servers so that a specific server or servers can be used for AAA, IEEE 802.1X, and IEEE 802.11i authentication and accounting. Define the tag here, with a string from 4 to 16 characters long. Then associate the tag with the radius-servers command when you configure AAA, and when you configure interfaces for 802.1X and 802.11i.