Open as PDF
Configuring RADIUS Server Groups 525
To create a server group, you must first configure the RADIUS servers
with their addresses and any optional parameters. After configuring
RADIUS servers, type the following command:
set server group group-name members server-name1
[server-name2] [server-name3] [server-name4]
For example, to create a server group called shorebirds with the RADIUS
servers heron, egret, and sandpiper, type the following commands:
WX1200# set radius server egret address 192.168.253.1 key apple
WX1200# set radius server heron address 192.168.253.2 key pear
WX1200# set radius server sandpiper address 192.168.253.3 key plum
WX1200# set server group shorebirds members egret heron sandpiper
In this example, a request to shorebirds results in the RADIUS servers
being contacted in the order that they are listed in the server group
configuration, first egret, then heron, then sandpiper. You can change
the RADIUS servers in server groups at any time. (See “Adding Members
to a Server Group” on page 527.)
Any RADIUS servers that do not respond are marked dead (unavailable)
for a period of time. The unresponsive server is skipped over, as though it
did not exist, during its dead time. Once the dead time elapses, the server
is again a candidate for receiving requests. To change the default
dead-time timer, use the set radius or set radius server command.
Ordering Server Groups
You can configure up to four methods for authentication, authorization,
and accounting (AAA). AAA methods can be the local database on the
WX switch and/or one or more RADIUS server groups. You set the order
in which the WX switch attempts the AAA methods by the order in which
you enter the methods in CLI commands.
In most cases, if the first method results in a pass or fail, the evaluation is
final. If the first method does not respond or results in an error, the WX
switch tries the second method and so on.
However, if the local database is the first method in the list, followed by a
RADIUS server group, the WX switch responds to a failed search of the
database by sending a request to the following RADIUS server group. This
exception is called local override.
For more information, see “AAA Methods for IEEE 802.1X and Web
Network Access” on page 442.