I have recently been configuring Network Access Control with 802.1x, and I had been having issues with using multiple RADIUS servers on Ruckus ICX Switches. The main issue being:
RADIUS Authenticate over SSH to switch using Microsoft NPS RADIUS Server
RADIUS Authenticate using 802.1x or MAC-Auth using DOT1x RADIUS Server
In Ruckus ICX switches there isn’t any concept of AAA groups like in Cisco, where you can designate specific RADIUS traffic to go to various different RADIUS Servers.
I have found 2 work arounds, I did however also call support and spend 1 hour troubleshooting with them and they didn’t have an answer for me.
Some Basic Setup Information
Microsoft NPS RADIUS Server : 18.104.22.168
DOT1x RADIUS Server : 22.214.171.124
Here are my AAA Authentication Commands:
SSH@tpw-sw1# sh run | inc authentication aaa authentication web-server default radius local aaa authentication enable default radius local aaa authentication dot1x default radius aaa authentication login default radius local
Here are my 2 work arounds:
SSH@tpw-sw1(config)# radius-server host 126.96.36.199 auth-port 1812 acct-port 1813 default key RADIUS1SECRET SSH@tpw-sw1(config)# radius-server host 188.8.131.52 auth-port 1812 acct-port 1813 default key RADIUS2SECRET dot1x mac-auth
If you use the 184.108.40.206 RADIUS server first in the list you cannot authenticate to the switch at all, even over super-user-password. So the only way I have it working is to have the DOT1x Radius Server listed 2nd but calling out DOT1x and MAC-AUTH.
The other method I found is to apply a command at the interface level:
SSH@tpw-sw1# conf t SSH@tpw-sw1(config)# int ethernet 1/1/1 SSH@tandy-lab-sw1(config-if-e1000-1/1/1)#use-radius-server 220.127.116.11
I hope that this helps, I spent a day trying to figure it out 🙂
2 Replies to “Ruckus : Using Multiple RADIUS Servers”
Can you explain the NPS Radius authentication and how you got that piece to work. We have been working this for a while and it hits the NPS server but keep getting access denied statements
What does wireshark say? What is the exact error message? Are you using Ruckus switches? Do you have a copy of the show run?