?
Solved

How to configure two NPS servers for redundacy on a Cisco switch with 802.1x

Posted on 2013-05-24
10
Medium Priority
?
571 Views
Last Modified: 2013-09-18
Hi,

We are configuring 802.1X for some of our switches.We are going to use dynamic VLAN assigments through Microsoft NPS radius server.

For redundacy we would like to configure all the switches with 2 NPS Microsoft servers in case one of the 2 goes down or is being patch.

That being said, can someone help us out to understand how could we get that configured?
0
Comment
Question by:llarava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
10 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39195488
If you're just asking how the redundancy works:
You just need to have both NPS servers configured the same, and on the switches you define two radius server hosts. When you make the AAA commands that reference radius or a server group, as long as both servers are configured as radius or are both part of the server group you will be able to deal with failures/patching/reboots/etc.

Or do you need the entire config to deal with the dynamic LAN and redundancy for 802.1x?
0
 

Author Comment

by:llarava
ID: 39196023
All the switches will be configued with 802.1x the goal is to do dynamic vlan assignment with NPS servers. So basically we would like to have all the switches work with 2 nps servers in case of failure or patches. Can we just configure the switch to use both nps servers? If so, how do we do it?
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 39199041
You can usually define multiple servers to which radius auth/authorization/accounting packets can be sent.

Rauenpc, pointed it out. Are you looking for a specific directive exampe?

http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:llarava
ID: 39199379
I would like to know how do I configure the switch to be able to work with both nps servers in case one goes down or we have to patch it.
0
 

Author Comment

by:llarava
ID: 39199387
The goal is to configure 801.x with dynamic vlan assignments for wired and wireless for windows 7 supplicants.
0
 
LVL 79

Expert Comment

by:arnold
ID: 39199398
You define two or more tacacs-servers.  Te order of the listing will be the order of attempts should it not respond it will be labeled as dead, and the requests will be sent to the other.
There is a configuration setting tht deals how long a server labeled as dead will not be rechecked. After that time has passed, it will be added back into the pool.

Note, an erroneous response will not get a radius service labeled as dead, a radius server is only labeled as dead when there is no response.

Which switch do you have?  Does the switch lacks the option to define multiple servers?
0
 
LVL 79

Expert Comment

by:arnold
ID: 39199408
The only requirement to have a switch work with an Is:
1) the switch must be a client of the NPS
2) they must reference the same secret.

As far as functionality, the NPS policy must be configured to properly respond to the request dealing with including the reply items that will set the VLAN, etc. on the switch.
0
 

Author Closing Comment

by:llarava
ID: 39503442
-
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question