Server Groups; Aaa Service Configuration Options; Configuring Radius - Cisco DS-C9216I-K9 Configuration Manual

Configuring RADIUS

•
•

Server Groups

You can specify remote AAA servers for authentication, authorization and accounting using server
groups. A server group consists of remote AAA servers implementing the same AAA protocol. The
purpose of a server group is to provide for fail-over servers in case a remote AAA server fails to
response. If the first remote server in the group fails to respond, the next remote server in the group is
tried until one of the servers sends a response. If all the AAA servers in the server group fails to respond,
then that server group option is considered a failure. You can create a server group using the aaa group
server command.
If required, you can specify multiple server groups. If the MDS switch encounters errors from the
server(s) in the first group, it tries the servers in next server group.

AAA Service Configuration Options

AAA configuration in Cisco MDS switches is service based. You can have separate AAA configurations
for following services:
•
•
•
In general, server group, local, and none are the three options that can be specified for any service in an
AAA configuration. Each option will be tried in the order specified. If all the methods fail, local is tried
Even if local is not specified as one of the options, it is tried when all other configured options fail.
Configuring RADIUS
Cisco MDS switches use the RADIUS protocol to communicate with remote AAA servers. You can
configure multiple RADIUS servers and set timeout and retry counts.
This section defines the RADIUS operation, identifies its network environments, and describes its
configuration possibilities.
This section contains the following topics:
•
•
•
•
•
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
18-4
RADIUS servers are easily reachable if an overlay Ethernet LAN is attached to the switch. This is
the recommended method.
SAN networks connected to the switch should have at least one gateway switch connect to the
Ethernet LAN containing the AAA servers. If you are using IP connectivity to reach an AAA server,
the SAN connects to the switch.
Telnet or SSH login—Choose Switches > Security > SSH.
iSCSI authentication—Choose End Devices > iSCSI > Global.
FC-SP authentication—Chose Switches > Security > FC-SP.
About RADIUS, page 18-5
Configuring RADIUS Authentication, page 18-5
Configuring RADIUS Servers, page 18-5
Setting the RADIUS Server Address, page 18-5
Setting the RADIUS Preshared Key, page 18-6
Chapter 18 Configuring Switch Security
OL-7753-01