Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1867
Views
0
Helpful
5
Replies

RADIUSE and TACACS Fallback to Secondary AAA-Server

Go to solution
Augustine Okojie
Cisco Employee
Cisco Employee

‎02-10-2019 05:31 AM

Hello,

 

Can someone help me understand how RADIUS/TACACS determine the primary AAA-Server is unreachable before fallback to secondary AAA-Server, is this based on a RADIUS or TACACS session or IP-reachability. If based on IP, how exatcly does that work?

 

Thanks.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
bern81
Level 1
Level 1

‎02-11-2019 12:34 AM

Hi Augustine.

 

It is all based on the Deadtime timers you configure.

radius-server dead-criteria time 5 tries 3  ( will wait 5x3 seconds before declaring the Radius server as Dead)
radius-server deadtime 15 (once it is Dead, the switch will check after 15 minutes to see if the server is now reachable, and it will put it Alive for few moment before declaring it Dead again).

The check are based on the radius udp port 1812 0r 1645.

As an advise you the automate-tester user in the radius config with Probe-on to avoid having outage loops when the server is considered alive but it is in reality Dead.

I hope this helped.

 

Please rate if answer is helpful.

 

View solution in original post

0 Helpful

Go to solution
bern81
Level 1
Level 1
In response to Augustine Okojie

‎02-11-2019 03:43 AM

For TACACS+ it is different (it runs over TCP port 49)


you can configure in the global config:

(config)# tacacs-server timeout 10 (seconds)

The switch/router will try to TCP 49 the ISE server, if no reply within 10 sec, it will consider the tacacs server dead and try the secondary.
if both are down you can configure an alternative method like check the local user database.

(config )# aaa authentication login VTY group tacacs+ local-case

I hope this helps.
Please rate if solution is helpful





View solution in original post

0 Helpful
5 Replies 5

Go to solution
marce1000
VIP
VIP

‎02-10-2019 07:12 AM

 

 - Have a look at the radius dead timer and or timeout settings from the document link below; which will dictate the failover or transit behavior for the switch. How exactly it works, -> is how you set certain parameters (well how excatly it works is then left over to the inner IOS-implemenation).

         https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
bern81
Level 1
Level 1

‎02-11-2019 12:34 AM

Hi Augustine.

 

It is all based on the Deadtime timers you configure.

radius-server dead-criteria time 5 tries 3  ( will wait 5x3 seconds before declaring the Radius server as Dead)
radius-server deadtime 15 (once it is Dead, the switch will check after 15 minutes to see if the server is now reachable, and it will put it Alive for few moment before declaring it Dead again).

The check are based on the radius udp port 1812 0r 1645.

As an advise you the automate-tester user in the radius config with Probe-on to avoid having outage loops when the server is considered alive but it is in reality Dead.

I hope this helped.

 

Please rate if answer is helpful.

 

0 Helpful

Go to solution
Augustine Okojie
Cisco Employee
Cisco Employee
In response to bern81

‎02-11-2019 03:22 AM

Does the same apply for TACACS+?
0 Helpful

Go to solution
bern81
Level 1
Level 1
In response to Augustine Okojie

‎02-11-2019 03:43 AM

For TACACS+ it is different (it runs over TCP port 49)


you can configure in the global config:

(config)# tacacs-server timeout 10 (seconds)

The switch/router will try to TCP 49 the ISE server, if no reply within 10 sec, it will consider the tacacs server dead and try the secondary.
if both are down you can configure an alternative method like check the local user database.

(config )# aaa authentication login VTY group tacacs+ local-case

I hope this helps.
Please rate if solution is helpful





0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents