Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5498
Views
5
Helpful
4
Replies

aaa server up

Go to solution
ShaunGreen
Level 1
Level 1

‎10-06-2020 07:15 AM

Hi All,

I'll continue to investigate, but to be honest, if anyone can offer any advice...please do, because this is making me wonder.

I'm trying to configure IBNS 2.0 for dot1x. The device is a 2960CX-8PC-L running 15.2 (7) E2

 

I wanted to test the critical failover when the aaa server was unreachable. But I noticed something with the show aaa server command output that didn't look right.

I've stripped it back to basics and have just the following:

 

radius server RAD-SERVER
!

And nothing else,

But yet, when I do show aaa server, it shows the status to be UP...

*************

RADIUS: id 3, priority 2, host UNKNOWN, auth-port 65535, acct-port 65535
State: current UP, duration 106s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 1m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 0 minutes ago: 0
low - 0 hours, 0 minutes ago: 0
average: 0

**********


How can that be??

Which then leads me to the point, how will the switch know the aaa server is down and bring in the CRITICAL Policy for open authentication??

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-06-2020 08:54 AM

Probably because that AAA server ID was previously up, until you deleted the configuration. The status from your screenshot confirms the host is UNKNOWN, so the switch cannot confirm whether it's up or down. Your test was not valid, you'd simulate a failure of ISE using the null route method I suggested or turn off ISE so it is unreachable from the switch.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-06-2020 07:22 AM - edited ‎10-06-2020 07:33 AM

Hi @ShaunGreen 

That is not a good way of testing AAA failure, normally I define a null route on the switch (core switch) for the ISE host node.

You will need to configure the radius dead timers to ensure that the radius server is marked as down when it is unreachable.

 

radius-server dead-criteria time 10 tries 3
radius-server deadtime 15

 

HTH

0 Helpful

Go to solution
ShaunGreen
Level 1
Level 1
In response to Rob Ingram

‎10-06-2020 08:23 AM

Hi Rob,

Thanks for your response.

I actually had a full config, dead timers, everything, in fact, a config I had working for another installation.

This all started when I wanted to check that the switches could failover to Critical open when the PSN's were down.

So I changed the IP and key on the radius server to cut the communication between the switch and PSN, with the hope I would see the switch showed the aaa server down and switched over the critical. But instead, the server still showed up. That's when I went really basic to see if I was configuring something wrong. But nope, still showing UP, even though there is no valid radius server configured.

Okay, edit*** I've been working on this since writing the above.

I have the following command and debug running, I think my previous commands weren't working because of the missing

 

automate-tester username test-user idle-time 1

 

Under the Radius server config.

But why it thought the aaa server was up, when it didn't even have anything to test against is beyond me..

Thanks again.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-06-2020 08:54 AM

Probably because that AAA server ID was previously up, until you deleted the configuration. The status from your screenshot confirms the host is UNKNOWN, so the switch cannot confirm whether it's up or down. Your test was not valid, you'd simulate a failure of ISE using the null route method I suggested or turn off ISE so it is unreachable from the switch.

Go to solution
ShaunGreen
Level 1
Level 1
In response to Rob Ingram

‎10-07-2020 12:51 AM

Hi Rob,

Useful test using null 0, thanks!! I'll shut down ISE when I do the full testing, but when you want to switch things back and forth while setting things up, that takes too much time. The null 0 works a treat.

Thanks,
Simon.

0 Helpful
Customers Also Viewed These Support Documents