Information About Authentication and Authorization Between Multiple RADIUS Servers
Cisco Catalyst 9800 Series Wireless Controller uses the approach of request and response transaction with a single RADIUS server that combines both authentication and authorization. You can split the authentication and authorization on the controller between multiple RADIUS servers.
A RADIUS sever can assume the role of either an authentication server, authorization server, or both. In cases where there are disparate RADIUS servers for authentication and authorization, the Session Aware Networking (SANet) component on the controller now allows authentication on one server and authorization on another when a client joins the controller .
Authentication can be done using the Cisco ISE, Cisco DNAC, Free RADIUS, or any third-party RADIUS Server. After successful authentication from an authentication server, the controller relays attributes received from the authentication server to another RADIUS sever designated as authorization server.
The authorization server then performs the following:
Processes received attributes with the other policies or rules defined on the server.
Derives attributes as part of the authorization response and returns it to the controller .
In a split authentication and authorization configuration, both servers must be available and must successfully authenticate and authorize with an ACCESS-ACCEPT for a session to be accepted by the controller .
A maximum of 100 entries is supported in the Authentication/Authorization list created through Cisco DNA Center provisioning. The entries beyond 100 do not work even though they can be created.