RADIUS Server Group Options

Navigation Path

Objects > Object Management > AAA Server > RADIUS Server Group. Choose and edit a configured RADIUS Server Group object or add a new one.

Fields

  • Name and Description—Enter a name and optionally, a description to identify this RADIUS Server Group object.

  • Group Accounting Mode—The method for sending accounting messages to the RADIUS servers in the group. Choose Single, accounting messages are sent to a single server in the group, this is the default. Or, Multiple, accounting messages are sent to all servers in the group simultaneously.

  • Retry Interval—The interval between attempts to contact the RADIUS servers. Values range from 1 to 10 seconds.

  • Realms(Optional)—Specify or select the Active Directory (AD) realm this RADIUS server group is associated with. This realm is then selected in identity policies to access the associated RADIUS server group when determining the VPN authentication identity source for a traffic flow. This realm effectively provides a bridge from the identity policy to this Radius server group. If no realm is associated with this RADIUS server group, the RADIUS server group cannot be reached to determine the VPN authentication identity source for a traffic flow in an identity policy.

    Note

    This field is mandatory if you use remote access VPN with User Identity and RADIUS as the identity source.

  • Enable authorize only—If this RADIUS server group is not being used for authentication, but is being used for authorization or accounting, check this field to enable authorize-only mode for the RADIUS server group.

    Authorize only mode eliminates the need of including the RADIUS server password in the Access-Request. Thus, the password, configured for the individual RADIUS servers, is ignored.

  • Enable interim account update and Interval—Enables the generation of RADIUS interim-accounting-update messages in order to inform the RADIUS server of newly assigned IP addresses. Set the length, in hours, of the interval between periodic accounting updates in the Interval field. The valid range is 1 to 120 and the default value is 24.

  • Enable Dynamic Authorization and Port— Enables the RADIUS dynamic authorization or change of authorization (CoA) services for this RADIUS server group. Specify the listening port for RADIUS CoA requests in the Port field. The valid range is 1024 to 65535 and the default value is 1700. Once defined, the corresponding RADIUS server group will be registered for CoA notification and it listens to the port for the CoA policy updates from the Cisco Identity Services Engine (ISE).

  • Merge Downloadable ACL with Cisco AV Pair ACL—Enables merging a downloadable access control list (dACL) with a Cisco attribute-value (AV) pair ACL.

    A downloadable ACL defines and updates access control lists in CiscoISE and allows ACL download to all the applicable controllers. For more information about using dACLs in Cisco ISE, see the chapter on Segmentation, section on authorization policies, in the Cisco ISE Administrator Guide.

    A Cisco AV pair ACL can be utilized to define specific authentication, authorization, and accounting elements for each individual session. For more information about using dACLs in Cisco ISE, see the chapter on Segmentation, section on authorization profile settings, in the Cisco ISE Administrator Guide.

    If you select Merge Downloadable ACL with Cisco AV Pair ACL, you can choose the following options:

    • After Cisco AV Pair ACL means the downloadable ACL entries should be placed after the Cisco AV pair entries.

    • Before Cisco AV Pair ACL means the downloadable ACL entries should be placed before the Cisco AV pair entries.

  • RADIUS Servers—See RADIUS Server Options.