While configuring a Brocade FastIron Switch (ICX7250) for RADIUS management, I did not pay attention to the subtle notes on the configuration guide from Brocade documentation. It says from their website.
"Brocade devices support authentication using up to eight RADIUS servers, including those used for 802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the Brocade device tries the next one in the list. Servers are tried in the same sequence each time there is a request."
If you have multiple RADIUS servers used for remote management (SSH/Telnet/Console), the order it is configured/added is the order they are contacted. The issue appears when adding support for 802.1x/NAC on the switches which needs to authenticate devices to RADIUS/EAP. If the same lists of RADIUS servers are to be used for 802.1x/EAP, then this should not be an issue. If you use a different set of RADIUS servers for remote management and a another set of RADIUS servers for 802.1x/NAC, we would need different approach.
"Brocade devices support authentication using up to eight RADIUS servers, including those used for 802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the Brocade device tries the next one in the list. Servers are tried in the same sequence each time there is a request."
If you have multiple RADIUS servers used for remote management (SSH/Telnet/Console), the order it is configured/added is the order they are contacted. The issue appears when adding support for 802.1x/NAC on the switches which needs to authenticate devices to RADIUS/EAP. If the same lists of RADIUS servers are to be used for 802.1x/EAP, then this should not be an issue. If you use a different set of RADIUS servers for remote management and a another set of RADIUS servers for 802.1x/NAC, we would need different approach.
By default, the set of RADIUS servers already configured on the device for management will be contacted by default for 802.1x authentication (globally) once 802.1x is enabled. In my case, I use FreeRADIUS for remote management and Windows NPS for 802.1x/NAC authentication.
A workaround is to configure interface specific radius servers for 802.1x. Below is a sample configuration guide/template.
# Enable 802.1x
authentication auth-order dot1x mac-auth
auth-default-vlan 10
dot1x enable
dot1x guest-vlan 20
critical-vlan 30
restricted-vlan 40
# enable 802.1x on the interfaces
dot1x enable ethernet 1/1/1 to 1/1/12
exit
# Global RADIUS Servers
radius-server host 10.1.1.10 auth-port 1812 acct-port 1813 default key radiuskey
radius-server host 10.1.1.11 auth-port 1812 acct-port 1813 default key radiuskey
# RADIUS Servers dedicated for 802.1x/NAC interfaces
radius-server host 10.1.1.20 auth-port 1812 acct-port 1813 default key radiuskey dot1x port-only
radius-server host 10.1.1.21 auth-port 1812 acct-port 1813 default key radiuskey dot1x port-only
# Enable RADIUS authentication for remote management
aaa authentication enable default radius local
aaa authentication login default radius local
# Enable 802.1x authentication via RADIUS
aaa authentication dot1x default radius
# 802.1x interface configuration
int ethernet 1/1/1 to 1/1/12
port-name # 802.1x port #
dot1x port-control auto
use-radius-server 10.1.1.20
use-radius-server 10.1.1.21
exit
In the above configuration, the first two RADIUS Servers (10.1.1.10; 10.1.1.11) will be contacted only for remote management authentication while the last two RADIUS Servers (10.1.1.10 and 10.1.1.11) can only be used for 802.1x interface authentication.
Let me know this help.
Let me know this help.