Re: ACE - Radius Auth - Server Deadtime strange behavior... bug?

Roble Mumin · ‎08-24-2006

Following issue...

Two ACE Contexts -> Admin and Test

Both are configured to authenticate via AAA and Radius. Everything works as intended, roles get submitted by Radius etc.

If you configure a deadtime >0 and for example you stop the Radius Service the current ACE context detects the unavailable radius server and marks it as dead after retransmit and timeout values have expired. If you activate the radius service again the ace context never clears the "Radius Server=Dead" flag.

If you don't login while doing maintenance on you're radius service everything is fine, but once the deadtimer kicks in it's over.

I verified this behavior with using context Admin and context Test the same time. I ended up with one context working with the same server perfect and one still having it marked as dead.

I got some debug output and the config for both contexts.

Ahmed or Gilles can you reproduce this behavior?

EDIT: Reloading the module and setting the "deadtime 0" fixes the behavior.

--- CONTEXT -> ADMIN ---

2006 Aug 24 16:08:06.875245 radius: (ctx:0)get_radius_server_info_from_group:

2006 Aug 24 16:08:06.875830 radius: (ctx:0)Skipping DEAD RADIUS server 10.10.10.1

2006 Aug 24 16:08:06.875888 radius: (ctx:0)radius_request_process_next_server:

All RADIUS servers failed to respond after retries.

--- CONTEXT -> TEST ---

2006 Aug 24 16:08:20.676439 radius: (ctx:0)get_radius_server_info_from_group:

2006 Aug 24 16:08:20.677049 radius: (ctx:0)radius_request_process_next_server:

found a server server index in group 0

2006 Aug 24 16:08:23.085763 radius: (ctx:0)get_radius_server_info_from_group:

2006 Aug 24 16:08:23.086024 radius: (ctx:0)radius_request_process_next_server:

found a server server index in group 0

2006 Aug 24 16:08:23.090753 radius: (ctx:0)Got context name Test

--- Configuration -> CONTEXT ADMIN ---

ace-module-01/Admin# sh run

Generating configuration....

radius-server host 10.10.10.1 key 7 "<secret>" auth-port 1645 acct-port 1646 authentication accounting

aaa group server radius RADIUS_VTY

server 10.10.10.1

deadtime 1

aaa authentication login default group RADIUS_VTY local

--- Configuration -> CONTEXT TEST ---

ace-module-01/Test#

Generating configuration....

radius-server host 10.10.10.1 key 7 "<secret>" auth-port 1645 acct-port 1646 authentication accounting

aaa group server radius RADIUS_VTY

server 10.10.10.1

deadtime 1

aaa authentication login default group RADIUS_VTY local

---

Software

loader: Version 12.2[118]

system: Version 3.0(0)A1(2) [build 3.0(0)A1(2)

jwilley_23:41:53-2006/06/11_/auto/adbu-rel/ws/REL_3_0_0_A1_2]

system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_2.bin

syediahm · ‎08-24-2006

I am not aware of any known bug on this issue.

I would recommend opening a TAC case on this.

Thanks

Syed Iftekhar Ahmed

Gilles Dufour · ‎08-25-2006

I see the same issue even with A1(3).

I have submitted a new ddts for this - CSCsf19177.

If you activate the 'debug radius server-monitor' command, you should see the ACE module trying to authenticate user test with password test.

However, this request never makes it to the radius server.

The bug has been logged and we will investigate.

Thanks for reporting this problem to us.

Gilles.

Roble Mumin · ‎08-25-2006

Welcome and happy to hear you could reproduce it.

Roble