topic wired 802.1x and radius-server configuration in Network Access Control

wired 802.1x and radius-server configuration

david.tran — Mon, 11 Mar 2019 03:21:32 GMT

I have ISE configured for wired 802.1x and I am trying to understand the purpose of this command on the catalyst 6509 switch:

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1

what is the purpose of the account cciesec and idle-time 1? Does it mean that the the switch will attempt to connect to the radius server 10.7.12.28 every 1 minute to see if the radius server is still alive? If so, how does it do it without the password specified?

thanks in advance

wired 802.1x and radius-server configuration

askhuran — Mon, 29 Apr 2013 21:33:20 GMT

Hello David,

The test username username option enables automated testing of the RADIUS server connection, for monitoring purposes. The specified username does not need to be a valid user name. Even if authentication fails, the response received form Radius confirms that it is up and running. Though default username is test and password is test

Regards,

wired 802.1x and radius-server configuration

david.tran — Mon, 29 Apr 2013 21:58:34 GMT

Ok... can you give the exact syntax so that I can test it on my catalyst 6509?

Thanks,

wired 802.1x and radius-server configuration

edwjames — Mon, 29 Apr 2013 22:09:07 GMT

David,

radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds]

no radius-server host {hostname | ip-address}

Eg:

radius-server host 192.0.2.176 test username test1 auth-port 1645 acct-port 1646

Rate if useful

wired 802.1x and radius-server configuration

david.tran — Mon, 29 Apr 2013 22:24:52 GMT

Here is my delima:

without the "test username cciesec idle-time 1" added, my 802.1x wired machine can get on the network just fine without any issues with ISE authentication.

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1

radius-server host 10.7.12.29 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1

now my 802.1x machine can NOT authenticate with ISE and I can NOT log into the network.

btw, my 6509 is running version 12.2(33)XI10 with sup 720.

Anyone knows why?

wired 802.1x and radius-server configuration

askhuran — Mon, 29 Apr 2013 23:13:37 GMT

for the 6509 Switch review the following for the commands:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html#wp1070653

Hope this helps

wired 802.1x and radius-server configuration

david.tran — Tue, 30 Apr 2013 00:12:09 GMT

I already reviewed the configuration and my configuration looks good.

Btw, I opened a TAC case with Cisco and after 30 minutes on the call, the TAC engineer has NO answer either. He confirmed that my configuration looks good.

He will try to replicate it in the lab and get back to me.

I am beginning to have doubt about the ISE product, NOT in a very positive way

wired 802.1x and radius-server configuration

askhuran — Tue, 30 Apr 2013 00:42:19 GMT

Hello David,

I dont think that an engineer like you with a great caliber should ever give up. What I had noticed in the link I provided:

6509 uses dead-criteria for radius monitoring. So use it without

without the "test username cciesec idle-time 1"

as you had been doing. And with the following:

radius-server dead-criteria tries num-tries

I hope you may have already thoroughly reviewed the radius debug output

wired 802.1x and radius-server configuration

david.tran — Tue, 30 Apr 2013 09:50:18 GMT

Ashok Khurana wrote:

Hello David,

I dont think that an engineer like you with a great caliber should ever give up.

First of all, I don't think that I have great caliber.

yes, I am aware of the radius-server dead-criteria. However, I do not work for Cisco and I would like to have a solution form someone who have done this before and know how it works, not guessing around.

My point is that with both "radius-server deat-criteria 5 3" and "test username cciesesec idle-time 1" should do some kind of authentication against the ISE often, right?

Well, I span the port of the ISE and I am not seeing any authentication check from the switch to the ISE, So, how the switch know when the ISE is not available without checking the ISE every few seconds, like "keepalive radius packet"?

I just want to understand how the "test username cciesec idle-timeout 1" work, not the work-around approach.

Thank you very much for your help.

David

Re: wired 802.1x and radius-server configuration

Octavian Szolga — Tue, 30 Apr 2013 12:32:08 GMT

My point is that with both "radius-server deat-criteria 5 3" and  "test username cciesesec idle-time 1" should do some kind of  authentication against the ISE often, right?

The test username command is an optional method used to verify the availability of a configured radius server by sending authentication messages with the configured username and it checks for a response, whether it receives accept or deny.

The important thing to note regarding this command is that is somehow redundant because in a regular dot1x network, when a user wants to log in, the switch automatically sends radius authentication messages to ISE, and in case that the radius server doesn't respond according to the time window specified by the radius-server dead-criteria time command, is marked dead.

This means that the test username command is useful onlny for long periods of inactivity when no one logs in, so you proactively check for radius reachability without having any user authentication processes ongoing.

My suggestion is to get rid of test username command and use radius-server dead-criteria time necessarily combined with radius-server deadtime because otherwise the radius server will flap between dead and alive status

Note:

radius-server dead-criteria time X tries Y

X = timeout for the request message sent to ISE

Y = number of messages before giving up (ie - mark server dead)

test username - by default, the requests are sent at 1 hour interval.

radius-server deadtime X - how long to consider the radius server dead before trying again

Re: wired 802.1x and radius-server configuration

david.tran — Tue, 30 Apr 2013 14:35:04 GMT

Octavian Szolga wrote:

My suggestion is to get rid of

test username

command and use

radius-server dead-criteria time

necessarily combined with

radius-server deadtime

because otherwise the radius server will flap between dead and alive status

What you said sound fair but I have to ask, have you ever tested or is this just speculation?

The reason I said that is because I do NOT use radius-server deat-criteria time and and radius-server deadtime and I use test username with the idle-time of 1 minute, and the catalyst switch 6509 has no traffics communicating with the ISE radius when everything is idle. I can confirm with because the ISE is sitting behind a checkpoint firewall and I am not seeing radius traffics from the switch to the ISE via tcpdump.

It looks to me that the "test username idle-time 1" is broken. The Cisco TAC engineer couldn't figure it out either

Re: wired 802.1x and radius-server configuration

david.tran — Wed, 01 May 2013 00:55:02 GMT

Updated to this issue: Many thanks to the Cisco TAC engineer Ankur Bajaj for solving this issue. The correct syntax should be:

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 test username cciesec idle-time 1 key 123456

whereas in my original configuration I had:

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1 which is WRONG.

What Ankur Bajaj said makes sense, if you put "test username cciesec idle-time 1" after the radius key, it will take "123456 test username cciesec idle-time 1" as the radius key.

Even though it makes sense, however, in the ISE log, I am not seeing anything about mismatch radius key so I think it must be another bug on either the catalyst 6509 or another bug on the ISE.

Re: wired 802.1x and radius-server configuration

Octavian Szolga — Wed, 01 May 2013 20:01:59 GMT

What you said sound fair but I have to ask, have you ever tested or is this just speculation?

Yes I did test it and it works although on different platforms (IOS bug?) it behaves differently.

On a Cat4500 the password sent with the username (I guess) is the radius key and ISE reports bad password for that username but on a 3750 the password sent with the username is the right one - the one configured with username X pass Y command - and ISE reports successful authentication.

What is indeed weird is the fact that you're not seeing at all some authentication requests coming from Cat6500.

wired 802.1x and radius-server configuration

r.pfffli — Fri, 03 May 2013 08:20:06 GMT

Octavian Szolga wrote:

My point is that with both "radius-server deat-criteria 5 3" and "test username cciesesec idle-time 1" should do some kind of authentication against the ISE often, right?

Note:

radius-server dead-criteria time X tries Y

X = timeout for the request message sent to ISE

Y = number of messages before giving up (ie - mark server dead)

test username - by default, the requests are sent at 1 hour interval.

radius-server deadtime X - how long to consider the radius server dead before trying again

Do you have a recommendation regarding the values in radius-server dead-criteria time X tries Y

I heard that for example Windows clients end up not connecting at all if the timers are too long. Is there a recommendation?

regards

Roger

Re: wired 802.1x and radius-server configuration

Octavian Szolga — Fri, 03 May 2013 08:44:47 GMT

Do you have a recommendation regarding the values in

radius-server dead-criteria time X tries Y

I personally do not have a recommendation regarding the timers, but Cisco says in the TrustSec design slides or ISE DeepDives slides that for an ISE implementation with Active Directory Services it would be best to configure a timeout of 10 seconds and 3 retries because in some situations the Domain Controller may be overwhealmed with requests from clients and so on.

It all depends on your particularly deployment and the requested fail-over interval.

Re: wired 802.1x and radius-server configuration

r.pfffli — Fri, 03 May 2013 09:10:23 GMT

Octavian Szolga wrote:

It all depends on your particularly deployment and the requested fail-over interval.

Thanks for your reply! Could you please post the link to the TrustSec design slides or ISE DeepDive slides, I would be very interested to read those specific chapter. There are so many design guides on CCO, I have a hard time to find the correct ones 🙂

In a customer deployment a colleague was using radius-server dead-criteria time 4 tries 3 due to some test with Windows clients and this was working fine, no timeouts on client side anymore.

As you said, if the timer is too short, the domain controller might end up with troubles...