Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5957
Views
37
Helpful
8
Replies

not able to configure automate-tester with idle-time and Probe-ON

Go to solution
bern81
Level 1
Level 1

‎01-30-2019 06:51 AM

Hi all,

 

We found out that using automate-tester under the radius-server configuration prevent from having loop outage in case the AAA server is marked as Dead and the deadtime expires.

 

However i tried to perform the following cmd:

SW05(config-radius-server)# automate-tester username dummy idle-time 10 probe-on

% Invalid input detected at '^' marker.

I receive an error, it takes either probe-on or idle-time.

Is that normal, if yes how can i add those 2 options? (idle-time 10 minutes with Probe-on)

 

Thank you in advance

 

 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Damien Miller

‎01-30-2019 12:33 PM

I disagree with this and always use automated testers.  You simply apply a filter all rule in ISE for the test username and there is really no extra load.  If you don't use a tester and have critical auth setup on your switches you are going to see the following Yo Yo effect when both ISE nodes are down:

 

  1. Both ISE nodes down the switch fails into critical auth.
  2. The dead timer expires the switch is going to mark the RADIUS servers alive.
  3. If your critical auth is configured correctly it should be set to reinitialize when the RADIUS servers come back alive.
  4. The switch is going to bring all ports out of critical auth and try to authenticate all of them.
  5. Oops the RADIUS servers are really still dead, put everything back in critical auth.
  6. Rinse and repeat until you truly fix the ISE servers.

If you setup your automated tester to run in a time frame under your dead time it will keep the RADIUS servers dead so you don't have the critical auth Yo Yo effect.   If you are in closed mode on the switchport the Yo Yo causes a 20-30 second outage (Dot1x timeout).  If your dead time is 15 minutes that means every 15 minutes your  phones stop working for 20-30 seconds until you get ISE fixed.  Customers love that.

View solution in original post

Go to solution
Sheraz.Salim
VIP
VIP
In response to bern81

‎01-31-2019 01:15 AM

I have tested automate-tester username dummy idle-time 10 probe-on you can not have idle-time and probe on in same syntax the version i tested is 16.06.03

please do not forget to rate.

View solution in original post

8 Replies 8

Go to solution
Sheraz.Salim
VIP
VIP

‎01-30-2019 07:14 AM - edited ‎01-30-2019 07:16 AM

The following example shows how to enable automatic testing on the RADIUS server with the authorization and accounting ports specified with an idle time of 2 hours:

SW(config)# aaa new-model
SW(config)# radius server myserver
SW(config-radius-server)# address ipv4 10.0.0.1 acct-port 1813 auth-port 1812
SW(config-radius-server)# automate-tester username user1 idle-time 120
 

 

radius server rad-01
address ipv4 10.10.4.20 auth-port 18012 acct-port 18013
timeout 10
retransmit 3
automate-tester username dummy ignore-acct-port probe-on
key ***** 

please do not forget to rate.
0 Helpful

Go to solution
bern81
Level 1
Level 1
In response to Sheraz.Salim

‎01-30-2019 07:49 AM

Hi Sheraz,

 

Many thanks for the reply but this was not the issue.

 

I was able to configure automate-tester idle-time but i loose the probe-on feature.

currently i configured :

 

radius server RADSERVER1
 address ipv4 10.7.5.100 auth-port 1812 acct-port 1813
 automate-tester username dummy idle-time 2
 key xxxxxxxxxxxxxxxxxxxxxxxx

 

The problem now is that even the ISE server is Alive, every 2 minutes there is a raduis request from dummy user to the ISE.

We have more than 2K switches in our network so it is becoming very noisy to the ISE.

 

If i now do the following:

 

radius server RADSERVER1
 address ipv4 10.7.5.100 auth-port 1812 acct-port 1813
 automate-tester username dummy probe-on
 key xxxxxxxxxxxxxxxxxxxxxxxx

 

The dummy timer is reseted to default= 60 min and the SW sends probe to ISE only if it is considered Dead (which is good).

 

What i am not able to achieve is reduce the idle-time to 2 min AND probe-on feature.

 

Is it possible?  because the cli seems to reject it when you combine both commands together:

 

 

 

 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to bern81

‎01-30-2019 09:02 AM

I would not leverage the automated tester. The longer the test interval the less useful it really is. As you mentioned, it adds unwanted load in large environments.

The switch will mark the radius server dead during an authentication attempt that times out. Then I suggest implementing the command radius-server deadtime 15, or a time in minutes of your choosing.

This will implement a 15 minute hold down timer when the switch realizes their is a problem authenticating against the primary radius server. If the second fails and both are now being held down, the switch will try the first again even before the first 15min timer expires.

Go to solution
paul
Level 10
Level 10
In response to Damien Miller

‎01-30-2019 12:33 PM

I disagree with this and always use automated testers.  You simply apply a filter all rule in ISE for the test username and there is really no extra load.  If you don't use a tester and have critical auth setup on your switches you are going to see the following Yo Yo effect when both ISE nodes are down:

 

  1. Both ISE nodes down the switch fails into critical auth.
  2. The dead timer expires the switch is going to mark the RADIUS servers alive.
  3. If your critical auth is configured correctly it should be set to reinitialize when the RADIUS servers come back alive.
  4. The switch is going to bring all ports out of critical auth and try to authenticate all of them.
  5. Oops the RADIUS servers are really still dead, put everything back in critical auth.
  6. Rinse and repeat until you truly fix the ISE servers.

If you setup your automated tester to run in a time frame under your dead time it will keep the RADIUS servers dead so you don't have the critical auth Yo Yo effect.   If you are in closed mode on the switchport the Yo Yo causes a 20-30 second outage (Dot1x timeout).  If your dead time is 15 minutes that means every 15 minutes your  phones stop working for 20-30 seconds until you get ISE fixed.  Customers love that.

Go to solution
bern81
Level 1
Level 1
In response to paul

‎01-31-2019 12:32 AM

Hi Paul,

 

Totally agree with you, the reason i want to use automate -tester is because of this Yo Yo effect you mentioned :)

My issue is that i want to reduce the test-user idle-time  AND i want to add the probe-on feature as well.

The issue is that the IOS is accepting either idle-time or probe-on.

I want to use probe-on because i want the test-user to probe the ISE only when it is marked as Dead.

Any idea how to implement both features?

 

Current config:

interface GigabitEthernet0/2
 description Bay13_MAB_8021x
 switchport access vlan 238
 switchport mode access
 switchport nonegotiate
 load-interval 30
 authentication event fail retry 1 action next-method
 authentication event server dead action authorize vlan 238
 authentication event server alive action reinitialize
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 65535
 authentication timer restart 60
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 1
 storm-control broadcast level 5.00
 storm-control action shutdown
 spanning-tree portfast edge
 spanning-tree bpduguard enable
end

 

radius server RADSERVER1
 address ipv4 10.7.1.100 auth-port 1812 acct-port 1813
 automate-tester username dummy probe-on
 key 7 xxxxxxx
!
radius server RADSERVER2
 address ipv4 10.7.1.101 auth-port 1812 acct-port 1813
 automate-tester username dummy idle-time probe-on
 key 7 xxxxxx

 

radius-server dead-criteria time 5 tries 3
radius-server deadtime 15

 

 

Many thanks in advance

 

 

Go to solution
Sheraz.Salim
VIP
VIP
In response to bern81

‎01-31-2019 01:15 AM

I have tested automate-tester username dummy idle-time 10 probe-on you can not have idle-time and probe on in same syntax the version i tested is 16.06.03

please do not forget to rate.

Go to solution
bern81
Level 1
Level 1
In response to Sheraz.Salim

‎01-31-2019 01:19 AM

Hi Sheraz,

Same here i tested with version: 15.2(6)E2b

Many thanks
0 Helpful

Go to solution
diduarte
Cisco Employee
Cisco Employee

‎02-14-2024 01:47 PM - edited ‎02-15-2024 05:35 AM

Issue still the same, tested on version 17.9.4a and not possible to use idle-time and probe-on in the same syntax. By the way I was doing some test to see how works the radius automate-tester username test-user ignore-acct-port probe-on. Based on my test I did in three switches 3850 and two 9300 with version 17.9.4a and version 17.6.4 it behaved the same way. It seems the automate-tester username test-user ignore-acct-port probe-on command works based on deadtime configuration.

I configured radius-server deadtime with following numbers for my test:

deadtime 2 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes two minutes with 15 seconds more or less to send 4 request and those request every 5 seconds. Once the 4 request are sent, it needs to wait the two minutes again to send the probe again.

deadtime 3 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes three minutes with 15 seconds more or less to send 4 request and each request every 5 seconds. Once the 4 request are sent, it needs to wait the three minutes again to send the probe again.

deadtime 4 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes four minutes with 15 seconds more or less to send 4 request and each request every 5 seconds. Once the 4 request are sent, it needs to wait the four minutes again to send the probe again.

deadtime 15 minutes the automate-tester username test-user ignore-acct-port probe-on , it takes fifteen minutes with 15 seconds more or less to send 4 request and each request every 5 seconds. Once the 4 request are sent, it needs to wait the fifteen minutes again to send the probe again.

And so on. The only way I really found this useful was leaving the deadtime in 0 witch is the default, as you know when is in default may causing flapping as server is mark dead and alive immediately  but when it has the automate-tester username test-user ignore-acct-port probe-on it works just fine.

Explanation:

Automate-tester with probe-on will send probes after every Dead-time expiry.

Default dead-time for automate-tester is 60 seconds. In this case probes will be sent to the server only if the state of the sever is DEAD. To achieve this whenever user configures automate-tester with probe-on sate of the server will be forced to mark DEAD irrespective of current state. So that after dead-time expires probe-on can take a part in sending test packets

Packets will be sent on both IOS and BINOS (Both on SMD and WNCD).

IOS: One authentication packet and one accounting packet

BINOS: Only one authentication packet

Note: As soon as user configures "automate-tester probe-on", server will be intentionally mark the server as DEAD and start the deadtime (default is 60 sec if radius-server deadtime not configured). This will affect user/customer if user is having a large deadtime and during config or bootup server will be marked DEAD for that much of time. once the deadtimer expires packet(probes) will be sent and correct state will be updated based on the result.

 

0 Helpful
Customers Also Viewed These Support Documents