Create a RADIUS Server Group

A RADIUS server group contains one or more RADIUS server objects. The servers within a group must be copies of each other. These servers form a chain of backup servers, so that if the first server is unavailable, the system can try the next server in the list.

Use the following procedure to create an object group:

Procedure

Step 1

In the CDO navigation bar on the left, click Objects > FDM Objects.

Step 2

Click , then click FTD > Identity Source.

Step 3

Enter an Object name for the object.

Step 4

Select the Device Type as FTD.

Step 5

Select RADIUS Server Group as the Identity Source Type. Click Continue.

Step 6

Edit the Identity Source configuration with the following properties:

  • Dead Time - Failed servers are reactivated only after all servers have failed. The dead time is how long to wait after the last server fails before reactivating all servers.

  • Maximum Failed Attempts - The number of failed requests (that is, requests that do not get a response) sent to a RADIUS server in the group before trying the next server. When the maximum number of failed attempts is exceeded, the system marks the server as Failed. For a given feature, if you configured a fallback method using the local database, and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for the duration of the dead time, so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately.

  • Dynamic Authorization/Port (Optional) - If you enable RADIUS dynamic authorization or change of authorization (CoA) services for this RADIUS server group, the group will be registered for CoA notification and listen on the specified port for CoA policy updates from Cisco Identity Services Engine (ISE). Enable dynamic authorization only if you are using this server group in a remote access VPN in conjunction with ISE.

Step 7

Select an AD realm that supported the RADIUS server from the drop-down menu. If you have not already created an AD realm, click Create from inside the drop-down menu.

Step 8

Click the Add button to add existing RADIUS server objects. Optionally, you can create a new RADIUS server object from this window is necessary.

Note

Add these objects in priority, as the first server in the list is used until it is unresponsive. FDM-managed device then defaults to the next server in the list.

Step 9

Review and deploy now the changes you made, or wait and deploy multiple changes at once.