Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10540
Views
0
Helpful
5
Replies

Radius Server Dead and Radius Server Alive with ISE shutdown

alfonso.cornejo
Level 3
Level 3

‎03-26-2018 07:53 AM - edited ‎02-21-2020 10:51 AM

Hi,

 

I have a 3750X switch that is integrated with an ISE cluster for 802.1x authentication, during HA testing I shutted down the entire ISE cluster and I noticed that the switch is marking the ISE nodes as Alive and then Dead repeatedly:

 

*Jan 2 19:34:47.776: %RADIUS-6-SERVERALIVE: Group ISE: Radius server 192.168.0.211:1645,1646 is responding again (previously dead).
*Jan 2 19:34:47.776: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.0.211:1645,1646 is being marked alive.
*Jan 2 19:34:53.648: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.0.211:1645,1646 is not responding.
*Jan 2 19:34:58.119: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A03244000000680433B71F
*Jan 2 19:34:58.119: %MAB-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A03244000000680433B71F
*Jan 2 19:35:18.504: %DOT1X-5-FAIL: Authentication failed for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A03244000000670433B224
*Jan 2 19:35:18.713: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A03244000000670433B224
*Jan 2 19:35:28.058: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.0.212:1645,1646 is being marked alive.
*Jan 2 19:35:28.872: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.0.212:1645,1646 is not responding.
*Jan 2 19:35:33.905: %RADIUS-3-ALLDEADSERVER: Group ISE: No active radius servers found. Id 142.
*Jan 2 19:35:40.356: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A032440000006A04345C13
*Jan 2 19:35:40.356: %MAB-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A032440000006A04345C13
*Jan 2 19:35:48.317: %DOT1X-5-FAIL: Authentication failed for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A032440000006904344E93
*Jan 2 19:35:48.602: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A032440000006904344E93

 

The two servers are completely down, how can the switch marked them as alive if there is no answer?

There are not repeated ip addresses.

 

This is causing me issues because the authentication proccess for the users tries to start again and again.

 

This is the radius configuration:

 

aaa group server radius ISE
server 192.168.0.211
server 192.168.0.212

 

aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE

 

aaa server radius dynamic-author
client 192.168.0.211 server-key XXXXXXXXXX
client 192.168.0.212 server-key XXXXXXXXXX

 

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.0.211 auth-port 1645 acct-port 1646 test username test-radius key 7 XXXXXXXXXXXX

radius-server host 192.168.0.212 auth-port 1645 acct-port 1646 test username test-radius key 7 XXXXXXXXXXXX
radius-server deadtime 2
radius-server vsa send accounting
radius-server vsa send authentication

 

Any suggestions?

 

Thanks in advanced.

2 people had this problem
Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎03-26-2018 08:02 AM

Do you see any hits in the ISE Live Authentication logs?

0 Helpful

alfonso.cornejo
Level 3
Level 3
In response to nspasov

‎03-26-2018 08:19 AM

Hi,

 

The two ise nodes and shutted down, but the switch says that suddenly gets response.

0 Helpful

Rob Ingram
VIP
VIP
In response to alfonso.cornejo

‎03-26-2018 09:06 AM

Hi,

Do you have the interface level command configured for dead/alive actions?

E.g

 authentication event server dead action authorize vlan
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize

0 Helpful

Octavian Szolga
Level 4
Level 4

‎03-26-2018 02:04 PM - edited ‎03-26-2018 02:05 PM

Hi,

You have

radius-server dead-criteria time 5 tries 3
radius-server deadtime 2

 

You use a timeout of 5 seconds. If no response is received within 5, retry for max. 3 times.

If still no response, mark the server as down for 2 minutes, after which you should mark it alive in order to try again...

 

Please configure radius-server deadtime to 10 minutes and try again.

 

Thanks,

Octavian

0 Helpful

Emre Ozel
Level 1
Level 1

‎09-03-2020 01:44 AM

hi,
I shared a few things about the issue solution. I recommend you to look.

https://community.cisco.com/t5/switching/detect-up-down-radius-server/m-p/4145622/highlight/true#M492353

0 Helpful
Customers Also Viewed These Support Documents