topic Re: Radius Server Config WS-C3560CX doesn't work correctly in Network Access Control

Radius Server Config WS-C3560CX doesn't work correctly

ChristophHofmann0740 — Mon, 02 Mar 2020 14:07:21 GMT

Hi,

I've a simple 802.1x Radius Setup (2x PSN on ISE) and following Config on a WS-C3560CX.

There a two Radius Server in the Config. The first one is working well. The secondary one is configured as backup radius.

If the first Radius server is not available, the secondary Server should take over requests and authenticate 802.1x sessions. Is see the Requests in the on the second node, but authentications fail.

When I delete the first radius server in the switch-config and only the second one is there, authentication is working well.

The ISE-config is okay, switches from other vendors works fine.

I got the following debug messages on Cisco Switch:

%RADIUS-4-RADIUS_DEAD: RADIUS server rad1 is not responding.

%RADIUS-4-RADIUS_ALIVE: RADIUS server rad1 is being marked alive.

My Config:

aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

radius server rad1
address ipv4 10.60.0.3 auth-port 1812 acct-port 1813
key ****
!
radius server rad2
address ipv4 10.60.0.4 auth-port 1812 acct-port 1813
key ****

Many Thanks,

Chris

Re: Radius Server Config WS-C3560CX doesn't work correctly

balaji.bandi — Mon, 02 Mar 2020 17:48:29 GMT

how about group them radius servers and use it ?

example :

aaa group server tacacs+ bbandi
server name rad1
server name rad2

Re: Radius Server Config WS-C3560CX doesn't work correctly

Damien Miller — Mon, 02 Mar 2020 18:44:54 GMT

If the dead and alive messages are near identical time stamps in the log, then using the radius dead timer might help.

Ex.
radius-server deadtime 5

This would have the switch mark the sever dead for 5 minutes prior to retrying it again. If both get marked dead, it will ignore the dead timer and round robin them again.

Adding to that, you can use the radius automated-tester feature to make it more robust.

Ex.
radius automate tester username ignore-acct-port probe-on

Re: Radius Server Config WS-C3560CX doesn't work correctly

Cristian Matei — Mon, 02 Mar 2020 20:50:10 GMT

Hi,

First of all, though RADIUS works, your configuration is not correct and you should fix it: you have defined the radius servers via name, but in the AAA commands you use the radius keyword which points towards globally defined radius servers via radius-server command. This inconsistency may cause issues at some point, here's the fixed configuration:

aaa new-model
aaa authentication login default group ALL_RADIUS local
aaa authentication dot1x default group ALL_RADIUS
aaa authorization network default group ALL_RADIUS
aaa accounting dot1x default start-stop group AL_RADIUS

radius server rad1
address ipv4 10.60.0.3 auth-port 1812 acct-port 1813
key ****
!
radius server rad2
address ipv4 10.60.0.4 auth-port 1812 acct-port 1813
key ****

aaa group server radius ALL_RADIUS

server name rad1

server name rad2

To properly failover, assuming you want to failover from the main RADIUS server to the second RADIUS server in 10 seconds, you would need to globally configure "radius-server dead-criteria time 10"; at this point the server is marked as DEAD, but you also need to specify how long do you keep it as DEAD (so not sending any requests to it), to keep it dead for 30 minutes, use "radius-server deadtime 30".

If you need or want smarter/failover (like don't wait for an authentication request in order to identify if a server is down, but rather constantly check which RADIUS servers are functional), use the automation feature (authentication can be successful or not, it does not matter, just a response from the RADIUS server is enough to keep it in the UP state):

radius server rad1

automate-tester username radiustestuser

radius server rad2

automate-tester username radiustestuser

If you want, you could also do load-balancing across both servers, you'll have to enable the feature.

Regards,

Cristian Matei.

Re: Radius Server Config WS-C3560CX doesn't work correctly

ChristophHofmann0740 — Tue, 03 Mar 2020 12:49:57 GMT

Hi,

many thanks for answers.

I have improved my config as you can see below. But the issue is the same.

aaa authentication login works fine on both servers.

dot1x works fine if the rad1 is reachable. -> but I can not see an accounting AAA session in the ise

If rad1 is not reachable ise log is showing the follwing output:

"5440 Endpoint abandoned EAP session and started new

Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration."

When I delete rad1, rad2 is working fine.

Config:

!
aaa group server radius ALL_RADIUS
server name rad1
server name rad2
!
aaa authentication login default group ALL_RADIUS local
aaa authentication dot1x default group ALL_RADIUS
aaa authorization network default group ALL_RADIUS
aaa accounting dot1x default start-stop group AL_RADIUS
!
aaa session-id common
!
!
dot1x system-auth-control
!
!
radius-server dead-criteria time 10
!
radius server rad1
address ipv4 10.60.0.26 auth-port 1812 acct-port 1813
key *****
!
radius server rad2
address ipv4 10.60.0.27 auth-port 1812 acct-port 1813
key *****
!

Re: Radius Server Config WS-C3560CX doesn't work correctly

Cristian Matei — Tue, 03 Mar 2020 16:47:44 GMT

Hi,

Run "debug radius authentication" and perform auth to first radius server, cut access to it, authenticate again, leave the debug a bit more and stop it. Paste the debug output here.

Regards,

Cristian Matei.

Re: Radius Server Config WS-C3560CX doesn't work correctly

ChristophHofmann0740 — Wed, 04 Mar 2020 07:25:50 GMT

Hi,

many thanks for your answer. I 've appended two files. The 'auth.txt' is the debug ouput where Radius1 is reachable. The 'no auth.txt' is the debug file where Radius1 is not reachable.

I think the interessting part of the debug ist when Radius Request to Radius1 fails:

Mar 4 07:05:54.657: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 4 07:05:54.661: RADIUS(00000000): Started 5 sec timeout
Mar 4 07:05:56.772: RADIUS(00000000): Request timed out!
Mar 4 07:05:56.772: RADIUS: Fail-over to (10.60.0.27:1812,1813) for id 1645/133
Mar 4 07:05:56.772: RADIUS: Message Authenticator encoded
Mar 4 07:05:56.772: RADIUS(00000000): Started 5 sec timeout
Mar 4 07:05:56.782: RADIUS: Received from id 1645/133 10.60.0.27:1812, Access-Reject, len 38
Mar 4 07:05:56.782: RADIUS: authenticator 11 B8 93 57 FD 44 F5 10 - CE 0F 5B 68 BC 85 11 23
Mar 4 07:05:56.782: RADIUS: Message-Authenticato[80] 18
Mar 4 07:05:56.782: RADIUS: 29 6C 73 97 35 27 61 8A D6 87 1B 4C 44 55 6A 43 [ )ls5'aLDUjC]
Mar 4 07:05:56.782: RADIUS(00000000): Received from id 1645/133
Mar 4 07:05:56.817: RADIUS(00000000): Request timed out!
Mar 4 07:05:56.817: RADIUS: Fail-over to (10.60.0.27:1812,1813) for id 1645/134
Mar 4 07:05:56.817: RADIUS: Message Authenticator encoded
Mar 4 07:05:56.817: RADIUS(00000000): Started 5 sec timeout
Mar 4 07:05:56.828: RADIUS: Received from id 1645/134 10.60.0.27:1812, Access-Challenge, len 122
Mar 4 07:05:56.828: RADIUS: authenticator DF 6E B0 01 B3 E2 81 C6 - 06 CA 0D 8E B7 90 FB 9B
Mar 4 07:05:56.831: RADIUS: State [24] 76
Mar 4 07:05:56.831: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 30 [37CPMSessionID=0]
Mar 4 07:05:56.831: RADIUS: 41 32 33 30 46 37 44 30 30 30 30 30 30 32 32 30 [A230F7D000000220]
Mar 4 07:05:56.831: RADIUS: 38 46 44 46 33 32 33 3B 33 31 53 65 73 73 69 6F [8FDF323;31Sessio]
Mar 4 07:05:56.831: RADIUS: 6E 49 44 3D 69 73 65 70 34 2F 33 37 32 31 33 32 [nID=isep4/372132]
Mar 4 07:05:56.831: RADIUS: 36 30 30 2F 36 32 39 37 39 3B [ 600/62979;]
Mar 4 07:05:56.831: RADIUS: EAP-Message [79] 8
Mar 4 07:05:56.831: RADIUS: 01 F3 00 06 0D 20 [ ]
Mar 4 07:05:56.831: RADIUS: Message-Authenticato[80] 18
Mar 4 07:05:56.831: RADIUS: 9B 56 01 97 E7 86 0C 62 03 FE 5C 6F EB 0C 7A 35 [ Vb\oz5]
Mar 4 07:05:56.831: RADIUS(00000000): Received from id 1645/134
Mar 4 07:05:56.831: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Mar 4 07:05:59.673: RADIUS(00000000): Request timed out!
Mar 4 07:05:59.673: RADIUS: Retransmit to (10.60.0.26:1812,1813) for id 1645/135
Mar 4 07:05:59.673: RADIUS: Message Authenticator encoded
Mar 4 07:05:59.673: RADIUS(00000000): Started 5 sec timeout
Mar 4 07:06:04.727: RADIUS(00000000): Request timed out!
Mar 4 07:06:04.727: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.60.0.26:1812,1813 is not responding.
Mar 4 07:06:04.727: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.60.0.26:1812,1813 is being marked alive.
Mar 4 07:06:04.727: RADIUS: Retransmit to (10.60.0.26:1812,1813) for id 1645/135
Mar 4 07:06:04.727: RADIUS: Message Authenticator encoded
Mar 4 07:06:04.727: RADIUS(00000000): Started 5 sec timeout
Mar 4 07:06:09.782: RADIUS(00000000): Request timed out!
Mar 4 07:06:09.782: RADIUS: Retransmit to (10.60.0.26:1812,1813) for id 1645/135
Mar 4 07:06:09.782: RADIUS: Message Authenticator encoded
Mar 4 07:06:09.782: RADIUS(00000000): Started 5 sec timeout
Mar 4 07:06:14.843: RADIUS(00000000): Request timed out!
Mar 4 07:06:14.843: RADIUS: Fail-over to (10.60.0.27:1812,1813) for id 1645/135
Mar 4 07:06:14.843: RADIUS: Message Authenticator encoded
Mar 4 07:06:14.843: RADIUS(00000000): Started 5 sec timeout

Many thanks for your support.

best regards

Re: Radius Server Config WS-C3560CX doesn't work correctly

Cristian Matei — Wed, 04 Mar 2020 07:52:52 GMT

Hi,

First of all, for whatever reason, i believed you also had dead time configured. With your current configuration if the RADIUS server does not respond within 10 seconds, it is marked as dead, in order to NOT mark it alive on the next RADIUS request, configure "radius-server deadtime 30" to keep it down for the next 30 minutes, so to ignore it.

I see in the "Auth" file that authentication is successful towards 10.60.0.26 server, and no RADIUS requests are being sent to the second 10.60.0.27, so all good so far.

I see in the "No auth" file that immediately after 10.60.0.26 is declared dead, it's declared alive; this should be fixed by the above command. I see that the authentication request goes to the second server 10.60.0.27, but debug output is not complete.

Configure the above command, run the test again, and paste the complete output from RADIUS debug.

Regards,

Cristian Matei.

Re: Radius Server Config WS-C3560CX doesn't work correctly

ChristophHofmann0740 — Wed, 04 Mar 2020 09:56:27 GMT

Hi Christian,

many thanks for your answer.

I've tried the "radius-server deadtime 30" statement and now the client01 can authenticate against the second radius-server correctly.

Is the "radius-server deadtime 30" a best practise command? I didn't found it in the Radius Configurations Guides and I think the 10 which was set before is a default-value.

The interessting thing is, that I can't see an accounting session in our ise.

Best regards

Re: Radius Server Config WS-C3560CX doesn't work correctly

Cristian Matei — Thu, 05 Mar 2020 11:32:12 GMT

Hi,

Doesn't really matter what the documentation states; i would set the value to something which fits my environment. Like, if you think that if something happens to your first RADIUS server, it could take like 2 hours to out it back online, i would configure the timer to be 2 hours, cause if i put it to 30 minutes, i will just make the switch toggle back and forward between the RADIUS server with no reason, and keep authentication in standby. The goal is is to keep the network stable and clients happy, and not to fallback to the first RADIUS server as fast as possible.

Accounting doesn't work, most probably, because you copied my config and i had a typo in the accounting command 🙂

aaa accounting dot1x default start-stop group AL_RADIUS-------should be

aaa accounting dot1x default start-stop group ALL_RADIUS

Regards,

Cristian Matei.

Re: Radius Server Config WS-C3560CX doesn't work correctly

ChristophHofmann0740 — Thu, 05 Mar 2020 13:50:50 GMT

Hi Christian,

many thanks for your support. I'm embarrassed about the mistake if I copied from your example. It works fine.

I will check whether it makes sense to configurate a load balancing for RADIUS-Deployment in our environment.

Best regards,

Chris

Re: Radius Server Config WS-C3560CX doesn't work correctly

Cristian Matei — Thu, 05 Mar 2020 14:40:48 GMT

Hi,

Mistake was mine, you just trusted me 🙂

Regards,

Cristian Matei.