Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2698
Views
0
Helpful
2
Replies

Radius Token Server or External Radius Server Down

umahar
Cisco Employee
Cisco Employee

‎03-28-2018 01:08 PM

Hi,

In the event that a radius token server or proxy radius server goes down will ISE send an access-reject back to the NADs or will ISE not send any response back and the NADs will mark ISE server down sending the endpoints into critical auth vlan ?

0 Helpful
2 Replies 2

umahar
Cisco Employee
Cisco Employee

‎03-28-2018 01:24 PM

I think AuthC policy should be able to accomodate this.

If Process failed then "Drop"

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to umahar

‎03-28-2018 10:09 PM

The options do not seem applicable to external RADIUS server sequence. I did a quick test in my lab and got below so it looks like always drop.

Event 5405 RADIUS Request dropped
Failure Reason 11353 No more external RADIUS servers; can't perform failover
Resolution Verify the following: At least one of the remote RADIUS servers in the ISE proxy service is up and configured properly ; Shared secret specified in the ISE proxy service for every remote RADIUS server is same as the shared secret specified for the ISE server ; Port of every remote RADIUS server is properly specified in the ISE proxy service.
Root cause Failover is not possible because no more external RADIUS servers are configured. Dropping the request.

In case of RADIUS token server, you are correct that the server timeouts are treated as process failures.

24616 RADIUS token identity store received timeout error
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
0 Helpful
Customers Also Viewed These Support Documents