RADIUS

RADIUS server configuration, attribute-value pairs, and CoA for network access control.

RADIUS Server Definition

Define a RADIUS server with explicit ports — IOS-XE syntax
Switch(config)# radius server ise-01
Switch(config-radius-server)# address ipv4 10.50.1.20 auth-port 1812 acct-port 1813
Switch(config-radius-server)# key 0 <SHARED-SECRET>
Switch(config-radius-server)# timeout 5
Switch(config-radius-server)# retransmit 3
Auth port 1812 and acct port 1813 are the IETF standard. Legacy Cisco devices may default to 1645/1646. ISE listens on both, but be explicit.

Server Groups

Group multiple RADIUS servers for redundancy
Switch(config)# aaa group server radius ISE-SERVERS
Switch(config-sg-radius)# server name ise-01
Switch(config-sg-radius)# server name ise-02
Switch(config-sg-radius)# deadtime 15

Dead Server Detection

Configure dead-criteria — mark server dead after 5 seconds or 3 failed attempts
Switch(config)# radius-server dead-criteria time 5 tries 3
Switch(config)# radius-server deadtime 15

deadtime keeps a dead server out of rotation for 15 minutes before retesting. Without this, every new auth attempt retries the dead server, adding latency to every session.

Testing RADIUS Connectivity

test aaa — verify the NAD can reach ISE and authenticate
Switch# test aaa group ISE-SERVERS testuser testpass new-code

Expected output when working:

User successfully authenticated

USER ATTRIBUTES

username             0   "testuser"

If you see User rejected — credentials are wrong but connectivity works. If you see no response or timeout — check shared secret, ACLs, and ISE node status.

Change of Authorization (CoA)

Enable CoA on the NAD — ISE sends CoA to port 1700 (Cisco) or 3799 (RFC)
Switch(config)# aaa server radius dynamic-author
Switch(config-locsvr-da-radius)# client 10.50.1.20 server-key <SHARED-SECRET>
Switch(config-locsvr-da-radius)# port 1700

CoA is how ISE pushes posture changes, VLAN reassignment, and session termination to the switch mid-session without the endpoint re-authenticating. Port 1700 is Cisco default; 3799 is RFC 5176.

Verify CoA statistics
Switch# show aaa server radius dynamic-author

RADIUS Attributes for VLAN Assignment

ISE pushes VLAN via three RADIUS attributes in the Access-Accept. All three are required:

Attribute Value Purpose

Tunnel-Type (64)

VLAN (13)

Specifies tunnel type

Tunnel-Medium-Type (65)

802 (6)

Specifies IEEE 802

Tunnel-Private-Group-ID (81)

VLAN name or ID

The actual VLAN to assign

These are configured in the ISE Authorization Profile, not on the switch. The switch must have aaa authorization network default group radius to honor them.

Debugging RADIUS

Debug RADIUS authentication — see Access-Request/Accept/Reject in real time
Switch# debug radius authentication
Switch# debug radius accounting
Structured debug — less noise, shows attribute exchange
Switch# debug aaa authentication
Switch# debug aaa authorization
debug radius on a production switch with hundreds of endpoints generates massive output. Use terminal monitor on VTY, reproduce the issue with one endpoint, then undebug all immediately.

RADIUS Source Interface

Force RADIUS packets to originate from the management interface
Switch(config)# ip radius source-interface Loopback0

Without this, the switch may source RADIUS from whichever interface is closest to the server in the routing table. If ISE is configured to accept packets only from a specific IP (the NAD definition), mismatched source IP causes silent drops.

Verification Commands

Show all configured RADIUS servers and their status
Switch# show radius server-group all
Switch# show aaa servers
Show active authenticated sessions with RADIUS attributes
Switch# show authentication sessions
Switch# show authentication sessions interface Gi1/0/5 details

Expected detail output includes: method (dot1x/mab), domain, status, VLAN, and any dACL applied.