Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
9
Replies

AAA server repeatedly down

LY YIHEANG
Level 1
Level 1

‎08-28-2024 06:41 AM

We have Cisco Switch Configured with RADIUS Server (FortiNAC). We noticed that AAA Server down more frequently after multiple RADIUS request.

Example: Two Endpoints authenticated with RADIUS (FortiNAC) Port 1 and Port 2. If one of the port restart. RADIUS Server become down. After deadtime expired (10minutes). AAA become up again and it is able to authenticate but if one of the port restart, AAA come down again. The issue repeatedly happen.

What i have troubleshooting: - Connection to radius server up and running - Connection Radius port 1812-1813, CoA is reachable in bidirection connection between Switch and Radius Server

Note: We have only 1 Radius Server

Is there anyone having same issue, please share resolution

 

Thank You

Preview file
3 KB
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎08-28-2024 07:06 AM

try use 

automate-tester username radius-test idle-time 10

MHM

0 Helpful

LY YIHEANG
Level 1
Level 1
In response to MHM Cisco World

‎08-28-2024 07:11 AM

I have tried it. It bring RADIUS up after dead-time expired (10 minutes) but Client will get into critical VLAN before RADIUS is up back. Anyway, Can you explain how it detect RADIUS down? it is based on Authentication or Accounting?

0 Helpful

MHM Cisco World
VIP
VIP
In response to LY YIHEANG

‎08-28-2024 07:19 AM

Client will get into critical VLAN <<- this very good point 

Config timeout under server to make SW little longer wait the aaa server reply 

MHM

0 Helpful

LY YIHEANG
Level 1
Level 1
In response to MHM Cisco World

‎08-28-2024 07:26 AM

@MHM Cisco World ,

I have put inside the dead-criteria already? Can you explain the different between global dead-criteria and timeout under individual server?

Thank You

0 Helpful

MHM Cisco World
VIP
VIP
In response to LY YIHEANG

‎08-28-2024 07:56 AM - edited ‎08-28-2024 07:57 AM

Radius-server dead criteria time <make this longer> tries  is good> 

Radius-server deadtime <make this time shorter>

The issue is SW send to aaa server but not receive reply in dead criteria time×3 this make SW mark aaa server as dead and authz port with critical vlan

MHM

0 Helpful

ahollifield
VIP
VIP

‎08-28-2024 07:45 AM

What is the path from the switch to FortiNAC?  What is the use-case for RADIUS on FortiNAC?  FortiNAC has a VERY limited EAP service.  How are you doing enforcement from FortiNAC?  CLI?  SNMP?  Something else?  Is the switch properly discovered and added into FortiNAC with valid CLI and SNMP credentials?  What role is CoA playing here?  

0 Helpful

LY YIHEANG
Level 1
Level 1
In response to ahollifield

‎08-28-2024 07:47 AM

We are trying to do enforcement through 802.1X. Switch is configure as SNMP and CLI.

0 Helpful

ahollifield
VIP
VIP
In response to LY YIHEANG

‎08-28-2024 09:24 AM

So something is wrong between the switch and FortiNAC. Is the FortiNAC RADIUS/EAP service enabled?  What is your EAP type?  What is the path from the switch to FortiNAC?  Are your RADIUS keys correct?  What do the FortiNAC logs say?

0 Helpful

Amine ZAKARIA
Spotlight
Spotlight

‎08-28-2024 11:19 AM

Hello @LY YIHEANG ,

Try this "automate-tester username fnac-user ignore-acct-port idle-time 1"

Regards!

Don't forget to rate helpful posts!

0 Helpful
Customers Also Viewed These Support Documents