Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1110
Views
10
Helpful
4
Replies

Dot1x server groups switches

Go to solution
gerritfrans
Level 1
Level 1

‎10-23-2018 03:08 AM - edited ‎03-11-2019 01:51 AM

Hi,

The "aaa group server radius" suggest the request goes to the first member of the group. In my case server1

however server3 get most of the request's

 

Is there something I overlooked?

HW: WS-C2960-24PC-L

SW: 12.2(58)SE2

 

Below the config.

 

Thanks,

Gerrit-Frans van Pelt

 

 

aaa group server radius americas_802.1x
server name server1
server name server2
server name server3
deadtime 1
!
aaa authentication dot1x default group radius group americas_802.1x
aaa accounting dot1x default start-stop group radius group americas_802.1x
dot1x system-auth-control
!
radius server server1
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server2
address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
key 7 xxxx
!

radius server server3
address ipv4 3.3.3.3 auth-port 1812 acct-port 1813
key 7 xxxx

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to gerritfrans

‎10-29-2018 02:23 PM

Well... at very least, you get the debug command(s), by a browser search for "debug", to see how your switch doing the selections. The paper also recommends the use of automate-tester to provide a better detection of servers dead or alive, in the section "RADIUS Server Failure Handling".

BTW, 12.2(58)SE2 does not appear available for C2960-24PC-L. You might want to try either 12.2.55-SE12 or 15.0.2-SE11, instead.

 

View solution in original post

Go to solution
gerritfrans
Level 1
Level 1
In response to hslai

‎10-30-2018 04:49 AM - edited ‎10-30-2018 06:20 AM

Hi Hslai,

 

Did try 15.0.2-SE11 but same issue did adding some probing and retry times.

Believe the issue is related to my template.. Depending the order of "radius server server" it behaves different. as below.

 

Appreciate your help and document if very good indeed

 

 

So must be some soft of bug and need to find some working IOS.

 

aaa group server radius americas_802.1x
server name server1
server name server2
server name server3
deadtime 1
!
radius server server1
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server2
address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
key 7 xxxx
!

radius server server3
address ipv4 3.3.3.3 auth-port 1812 acct-port 1813
key 7 xxxx


or this will change the order.

 

 

aaa group server radius americas_802.1x
server name server1
server name server2
server name server3
deadtime 1
!
radius server server2
address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server3
address ipv4 3.3.3.3 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server1
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7 xxxx
!

 

 

Thanks

Gerrit Frans 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gerritfrans
Level 1
Level 1
In response to hslai

‎10-29-2018 12:43 PM

Hi hslai,

This document also explains my point? below a quote.

 

''When there are multiple RADIUS servers defined on the NAS, the default behavior is that the non-dead server that is closest to the beginning of the list is used for the first transmission of a transaction, and for the configured number of retransmissions.''

 

I also believe it should fail back to the top one of the list 

 

I did configure this configuration on quite some different switch models and iOS software version. And it's not using server1.

 

Could you point out in what section of the document you see the solution?

 

Thanks

Gerrit

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to gerritfrans

‎10-29-2018 02:23 PM

Well... at very least, you get the debug command(s), by a browser search for "debug", to see how your switch doing the selections. The paper also recommends the use of automate-tester to provide a better detection of servers dead or alive, in the section "RADIUS Server Failure Handling".

BTW, 12.2(58)SE2 does not appear available for C2960-24PC-L. You might want to try either 12.2.55-SE12 or 15.0.2-SE11, instead.

 

Go to solution
gerritfrans
Level 1
Level 1
In response to hslai

‎10-30-2018 04:49 AM - edited ‎10-30-2018 06:20 AM

Hi Hslai,

 

Did try 15.0.2-SE11 but same issue did adding some probing and retry times.

Believe the issue is related to my template.. Depending the order of "radius server server" it behaves different. as below.

 

Appreciate your help and document if very good indeed

 

 

So must be some soft of bug and need to find some working IOS.

 

aaa group server radius americas_802.1x
server name server1
server name server2
server name server3
deadtime 1
!
radius server server1
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server2
address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
key 7 xxxx
!

radius server server3
address ipv4 3.3.3.3 auth-port 1812 acct-port 1813
key 7 xxxx


or this will change the order.

 

 

aaa group server radius americas_802.1x
server name server1
server name server2
server name server3
deadtime 1
!
radius server server2
address ipv4 2.2.2.2 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server3
address ipv4 3.3.3.3 auth-port 1812 acct-port 1813
key 7 xxxx
!
radius server server1
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key 7 xxxx
!

 

 

Thanks

Gerrit Frans 

0 Helpful
Customers Also Viewed These Support Documents