Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1478
Views
0
Helpful
1
Replies

AAA_DOT1X radius DEAD

getaway51
Level 2
Level 2

‎05-05-2021 06:57 PM - edited ‎05-05-2021 08:18 PM

hI,

 

It seems the Radius DEAD and ALIVE logs were occuring every few minutes. User complains it affect their access. However I thought when AAA down, all hosts will be AZ (authorised)? It seems AAA servers intermittent reachability frm the switch affects host access. How is this possible espeecially when script says AAA-down, all Authorised?

Also both AAA servers are fine, however switch logs says otherwise. It cant be 2 AAA down at same time. there wasnt any ping timeout but switch keeps logging AAA unreachable every few mins.

 

Below are my script. Any idea guys? 

 

May 6 13:24:11.350: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.1.1.1:1812,1813 is not responding.
May 6 13:24:26.920: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.1.1.2:1812,1813 is not responding.
May 6 13:24:26.920: %RADIUS-3-ALLDEADSERVER: Group AAA_DOT1X: No active radius servers found. Id 110.

 

class-map type control subscriber match-any AAA-DOWN-AUTH
match result-type aaa-timeout

match authorization-status authorized
!
class-map type control subscriber match-all AAA-DOWN-UNAUTHD
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found

20 class AAA-DOWN-UNAUTHD do-until-failure
10 activate service-template CRITICAL_AUTH_VLAN
20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
30 authorize
40 pause reauthentication

 

30 class AAA-DOWN-AUTH do-until-failure
10 pause reauthentication
20 authorize

0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎05-09-2021 07:52 PM

Hi

 

Affected users are the one already authorized or new people connecting?

The class-map AAA-DOWN-AUTH is in match-any instead of match-all.

 

Then, have you ran a debug radius to see why your AAA servers are flapping between alive and not alive?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents