topic Re: AAA server repeatedly down in Network Access Control

AAA server repeatedly down

LY YIHEANG — Wed, 28 Aug 2024 13:41:15 GMT

We have Cisco Switch Configured with RADIUS Server (FortiNAC). We noticed that AAA Server down more frequently after multiple RADIUS request.

Example: Two Endpoints authenticated with RADIUS (FortiNAC) Port 1 and Port 2. If one of the port restart. RADIUS Server become down. After deadtime expired (10minutes). AAA become up again and it is able to authenticate but if one of the port restart, AAA come down again. The issue repeatedly happen.

What i have troubleshooting: - Connection to radius server up and running - Connection Radius port 1812-1813, CoA is reachable in bidirection connection between Switch and Radius Server

Note: We have only 1 Radius Server

Is there anyone having same issue, please share resolution

Thank You

Re: AAA server repeatedly down

MHM Cisco World — Wed, 28 Aug 2024 14:06:18 GMT

try use

automate-tester username radius-test idle-time 10

MHM

Re: AAA server repeatedly down

LY YIHEANG — Wed, 28 Aug 2024 14:11:12 GMT

I have tried it. It bring RADIUS up after dead-time expired (10 minutes) but Client will get into critical VLAN before RADIUS is up back. Anyway, Can you explain how it detect RADIUS down? it is based on Authentication or Accounting?

Re: AAA server repeatedly down

MHM Cisco World — Wed, 28 Aug 2024 14:19:00 GMT

Client will get into critical VLAN <<- this very good point

Config timeout under server to make SW little longer wait the aaa server reply

MHM

Re: AAA server repeatedly down

LY YIHEANG — Wed, 28 Aug 2024 14:26:39 GMT

@MHM Cisco World ,

I have put inside the dead-criteria already? Can you explain the different between global dead-criteria and timeout under individual server?

Thank You

Re: AAA server repeatedly down

ahollifield — Wed, 28 Aug 2024 14:45:23 GMT

What is the path from the switch to FortiNAC? What is the use-case for RADIUS on FortiNAC? FortiNAC has a VERY limited EAP service. How are you doing enforcement from FortiNAC? CLI? SNMP? Something else? Is the switch properly discovered and added into FortiNAC with valid CLI and SNMP credentials? What role is CoA playing here?

Re: AAA server repeatedly down

LY YIHEANG — Wed, 28 Aug 2024 14:47:27 GMT

We are trying to do enforcement through 802.1X. Switch is configure as SNMP and CLI.

Re: AAA server repeatedly down

MHM Cisco World — Wed, 28 Aug 2024 14:57:15 GMT

Radius-server dead criteria time <make this longer> tries ❤️ ❤️is good>

Radius-server deadtime <make this time shorter>

The issue is SW send to aaa server but not receive reply in dead criteria time×3 this make SW mark aaa server as dead and authz port with critical vlan

MHM

Re: AAA server repeatedly down

ahollifield — Wed, 28 Aug 2024 16:24:54 GMT

So something is wrong between the switch and FortiNAC. Is the FortiNAC RADIUS/EAP service enabled? What is your EAP type? What is the path from the switch to FortiNAC? Are your RADIUS keys correct? What do the FortiNAC logs say?

Re: AAA server repeatedly down

Amine ZAKARIA — Wed, 28 Aug 2024 18:19:09 GMT

Hello @LY YIHEANG ,

Try this "automate-tester username fnac-user ignore-acct-port idle-time 1"

Regards!

Don't forget to rate helpful posts!