02-18-2008 12:51 PM - edited 03-10-2019 03:39 PM
I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
Any help is appreciated. Here is my config:
#version 8.4(7)GLX
!
#radius
set radius server 10.30.XX.XX auth-port 1812 primary
set radius server 10.18.XX.XX auth-port 1812
set radius timeout 30
set radius key EE08361
!
Set dot1x system-auth-control enable
!
set port dot1x 5/27 port-control auto
all radius and dot1x settings are at their default values
Any takers??!
02-19-2008 01:33 PM
bump...anyone?
02-19-2008 01:59 PM
I have the same setup as yours. I use Steelbelt
radius 6.0.1 on Linux and I have Cisco 2960
catalyst. I use 802.1x over Ethernet with
PEAP, as seen below:
C2960#sh run int g0/23
Building configuration...
Current configuration : 133 bytes
!
interface GigabitEthernet0/23
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 668
end
C2960#
C2960#sh run | inc dot
aaa authentication dot1x default group radius
dot1x system-auth-control
dot1x guest-vlan supplicant
C2960#sh run | inc radius-
radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
C2960#
Everything works and when I shutdown the
radius server process on host 192.168.15.10,
"sbrd stop", it still works with the secondary
radius server 10.250.97.26.
The difference between yours and mine is that
I am running IOS instead of CatOS.
System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
David
02-19-2008 04:05 PM
It do not believe it works with CatOS on that rev of code on the 4000. But would recommend a TAC case, nonetheless.
02-20-2008 06:32 AM
Make sure the radius keep alive is enabled. This helps the switch determine if the radius server is down:
set dot1x radius-keepalive enable
Let me know how that goes
Regards,
~JG
Do rate helpful posts
02-20-2008 06:42 AM
Thanks, but when I tried that command and the switch does not recognize that command.
02-20-2008 07:13 AM
Try
"set dot1x radius-keep-alive enable"
02-20-2008 07:35 AM
No dice. This is message I received:
C4K> (enable) set dot1x radius-keep-alive enable
Unknown command "set dot1x radius-keep-alive". Use 'set dot1x help' for more in
o.
Here are my options:
C4K> (enable) set dot1x ?
max-req
quiet-period
re-authperiod
server-timeout
shutdown-timeout
supp-timeout
system-auth-control
tx-period
C4K> (enable) set dot1x
02-20-2008 07:55 AM
Please send me the output of show radius
cisco> (enable) sho radius
02-20-2008 08:04 AM
C4K> (enable) sh radius
RADIUS Deadtime: 0 minutes
RADIUS Key: EEXXXXX
RADIUS Retransmit: 2
RADIUS Timeout: 5 seconds
Framed-Ip Address Transmit: Disabled
RADIUS-Server Status Auth-port Acct-port
----------------------------- ------- ------------ ------------
10.30.XX.XX primary 1812 1813
10.18.XX.XX 1812 1813
02-20-2008 08:16 AM
Seems to be a bug,
Regards,
~JG
02-20-2008 12:38 PM
Right, but it doesn't work on the 4000, since the 4000 will not make it up to this rev of code for CatOS.
02-20-2008 12:40 PM
Exactly. I see 8.4.11GLX as the latest version. Any other ideas? Thanks
02-28-2008 09:32 AM
I just wanted to follow up, as I have found the resolution. I was surpised that TAC did not have the answer either.
I entered the command:
set feature dot1x-radius-keepalive enable
Everything works great now. Thanks for the ideas.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide