https://community.cisco.com/t5/network-access-control/aaa-dot1x-radius-dead/m-p/4400030#M567208 <P>Hi</P> <P>&nbsp;</P> <P>Affected users are the one already authorized or new people connecting?</P> <P>The class-map <STRONG>AAA-DOWN-AUTH</STRONG>&nbsp;is in match-any instead of match-all.</P> <P>&nbsp;</P> <P>Then, have you ran a debug radius to see why your AAA servers are flapping between alive and not alive?</P> <P>&nbsp;</P> Mon, 10 May 2021 02:52:57 GMT Francesco Molino 2021-05-10T02:52:57Z https://community.cisco.com/t5/network-access-control/aaa-dot1x-radius-dead/m-p/4398520#M567159 <P>hI,</P><P>&nbsp;</P><P>It seems the Radius DEAD and ALIVE logs were occuring every few minutes. User complains it affect their access. However I thought when AAA down, all hosts will be AZ (authorised)? It seems AAA servers intermittent reachability frm the switch affects host access. How is this possible espeecially when script says AAA-down, all Authorised?</P><P>Also both AAA servers are fine, however switch logs says otherwise. It cant be 2 AAA down at same time. there wasnt any ping timeout but switch keeps logging AAA unreachable every few mins.</P><P>&nbsp;</P><P>Below are my script. Any idea guys?&nbsp;</P><P>&nbsp;</P><P>May 6 13:24:11.350: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.1.1.1:1812,1813 is not responding.<BR />May 6 13:24:26.920: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.1.1.2:1812,1813 is not responding.<BR />May 6 13:24:26.920: %RADIUS-3-ALLDEADSERVER: Group AAA_DOT1X: No active radius servers found. Id 110.</P><P>&nbsp;</P><P><STRONG>class-map type control subscriber match-any AAA-DOWN-AUTH</STRONG><BR /><STRONG>match result-type aaa-timeout</STRONG></P><P><STRONG>match authorization-status authorized<BR />!<BR />class-map type control subscriber match-all AAA-DOWN-UNAUTHD<BR />match result-type aaa-timeout<BR />match authorization-status unauthorized<BR />!<BR />class-map type control subscriber match-all DOT1X_FAILED<BR />match method dot1x<BR />match result-type method dot1x authoritative<BR />!<BR />class-map type control subscriber match-all DOT1X_NO_RESP<BR />match method dot1x<BR />match result-type method dot1x agent-not-found<BR /><BR /></STRONG></P><P><STRONG>20 class AAA-DOWN-UNAUTHD do-until-failure<BR />10 activate service-template CRITICAL_AUTH_VLAN<BR />20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE<BR />30 authorize<BR />40 pause reauthentication<BR /></STRONG></P><P>&nbsp;</P><P><STRONG>30 class AAA-DOWN-AUTH do-until-failure<BR />10 pause reauthentication<BR />20 authorize</STRONG></P> Thu, 06 May 2021 03:18:05 GMT https://community.cisco.com/t5/network-access-control/aaa-dot1x-radius-dead/m-p/4398520#M567159 getaway51 2021-05-06T03:18:05Z https://community.cisco.com/t5/network-access-control/aaa-dot1x-radius-dead/m-p/4400030#M567208 <P>Hi</P> <P>&nbsp;</P> <P>Affected users are the one already authorized or new people connecting?</P> <P>The class-map <STRONG>AAA-DOWN-AUTH</STRONG>&nbsp;is in match-any instead of match-all.</P> <P>&nbsp;</P> <P>Then, have you ran a debug radius to see why your AAA servers are flapping between alive and not alive?</P> <P>&nbsp;</P> Mon, 10 May 2021 02:52:57 GMT https://community.cisco.com/t5/network-access-control/aaa-dot1x-radius-dead/m-p/4400030#M567208 Francesco Molino 2021-05-10T02:52:57Z