This Help topic describes how to use the NAC Manager Verify RADIUS Configuration feature. The feature is available for NAC Gateway appliances and Layer 2 NAC Controllers, and can be used to alert you to any RADIUS configurations that are out of sync and could cause RADIUS authentication problems on the network.
Switch RADIUS configurations can be modified independently of NAC; for example, they can be manually edited through the CLI, through Policy Manager, or by applying an archived switch configuration that was archived prior to the device being added to NAC. This can cause an authentication failure or a loss of visibility to the devices on the network. The Verify RADIUS Configuration tool can help you troubleshoot this problem.
For NAC Gateway appliances, the Verify RADIUS Configuration feature verifies the NAC Gateway's RADIUS configuration for each switch assigned to that appliance against the actual RADIUS configuration on the switch. The Verify feature compares the IP addresses and order of the primary and secondary gateways assigned to the switches, and the management RADIUS servers that are configured, if any. The feature also reports if SNMP connectivity cannot be established with the switch, or if RADIUS is disabled on the switch.
| NOTE: | The Verify feature will ignore any RADIUS servers on the switch that
do not exist in the appliance RADIUS configuration. For example, if there are
two management RADIUS servers configured on the switch, but only one is
configured on the appliance, the Verify operation will ignore the extra server
configured on the switch. |
|---|
For Layer 2 NAC Controllers, the Verify RADIUS Configuration feature verifies that the NAC Controller Engine IP address and the redundant NAC Controller Engine IP address (if any) are configured as the RADIUS servers for the NAC Controller PEP. The Verify feature compares the IP addresses and order of the NAC Controller Engines assigned to the PEP. The feature also reports if SNMP connectivity cannot be established with the PEP, or if RADIUS is disabled on the PEP. If the Controller is in Hybrid Mode, the feature will verify both the PEP and the switches (if any).
Use the following steps to perform a Verify RADIUS Configuration operation:
- For NAC Gateways: To verify all the switches assigned to an appliance, right-click on a single
appliance in the right-panel NAC Appliances
tab and select Verify RADIUS Configuration from the menu. To verify select
switches assigned to an appliance, right-click on one or more switches in the
Switches tab for a single appliance, and select Verify RADIUS
Configuration from the menu. A confirmation window opens;
click Yes to continue with the Verify.
For Layer 2 NAC Controllers: Right-click on a single controller in the right-panel NAC Appliances tab and select Verify RADIUS Configuration from the menu. A confirmation window opens; click Yes to continue with the Verify.NOTE: While the Verify is running, you have the option to stop it, and then restart the Verify when you are ready. - The Verify RADIUS Configuration window opens, displaying the switches
or PEP
that failed verification or couldn't be contacted.
The information in the Details section displays any problems reported by the
Verify operation.
NOTE: For switches that support encrypted MIBs, only a minimal RADIUS configuration verification can be performed providing general information, such as "RADIUS Servers inconsistent." 
You can use the radio buttons in the lower right corner of the window to select "Show All" to show all the switches/PEP that the Verify was performed against including those that passed verification.
- To sync up the appliance RADIUS
Configuration, perform an enforce from NAC Manager to the NAC appliance with the
Advanced option "Force Reconfiguration for All Switches" selected.
When enforcing to NAC Gateway appliances, the NAC Configuration is first written to the NAC Gateways and then the NAC Gateways will write the RADIUS configuration information to the switches. With NAC Controllers, the NAC Configuration is first written to the NAC Controller Engine and then the RADIUS configuration information is written to the NAC Controller PEP.
