Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
189
Views
2
Helpful
7
Replies

Understanding RADIUS Server Dead Criteria on switch

Dominique-luz
Level 1
Level 1

‎07-20-2025 08:24 AM

Hi community,

I’m trying to better understand the behavior of RADIUS server dead detection and server group mapping on a Cisco switch. Below is my current configuration and observed output:

RADIUS Dead Detection Configuration:

radius-server deadtime 5
radius-server dead-criteria time 20 tries 2

RADIUS Server Configuration:

radius server ise-1
address ipv4 10.168.80.156 auth-port 1812 acct-port 1813
timeout 5
retransmit 1
automate-tester username dummy ignore-acct-port probe-on
key ciscolab

AAA Server Group Configuration:

aaa group server radius ISE_CUBE
server name ise-1

Command Output (show aaa dead-criteria radius 10.168.80.156):

RADIUS: No server group specified. Using radius
RADIUS Server Dead Criteria:
=============================
Server Details:
Address : 10.168.80.156
Auth Port : 1812
Acct Port : 1813
Server Group : radius
Dead Criteria Details:
Configured Retransmits : 1
Configured Timeout : 5
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Dead Detect Time : 20s
Computed Retransmit Tries: 2

 

My Questions:

1. Why does the switch show "No server group specified. Using radius" instead of mapping the server to the configured group ISE_CUBE?

2. I’ve read Cisco documentation about radius-server dead-criteria, but I’m still confused about the logic. With this configuration:
radius-server dead-criteria time 20 tries 2


— Does the switch mark the RADIUS server as dead if either 20 seconds or 2 retries occur without response?
— Or do both conditions need to be met?
— How do the timeout and retransmit values under the radius server configuration influence the dead-criteria?

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎07-20-2025 08:37 AM - edited ‎07-20-2025 02:05 PM

MHM

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎07-20-2025 08:51 AM - edited ‎07-20-2025 02:05 PM

MHM

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-20-2025 08:45 AM

If you have only 1 Radius Server then this not make any difference as per your config.

If you more radius Server, then adding Group will have failover if one of the radius fail other one pickup as expected when the dead timers meets.

You have not mentioned what switches, but in recent Cat 9K switches good improvements done.

As per your configuration :

radius-server deadtime 5

Sets the number of minutes during which a RADIUS server is not sent requests. 

radius-server dead-criteria time 20 tries 2

This configuration would cause the switch to mark a RADIUS server as dead if it hasn't received a valid packet within 20 seconds and if there have been 2 consecutive failed attempts to communicate with it. 

you can reduce this by tuning the requirements.

best practice check :

Best Practice Global Settings for Switch

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#U3641515

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dominique-luz
Level 1
Level 1
In response to balaji.bandi

‎07-20-2025 11:24 AM

I'm working with Catalyst 9200 switches.

  1. According to the following document: https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515,

    "This configuration would cause the switch to mark a RADIUS server as dead if it hasn't received a valid packet within 20 seconds and if there have been 2 consecutive failed attempts to communicate with it."

    These attempts are triggered by actual user/device authentication or accounting messages, correct? As far as I know, the command automate-tester username dummy ignore-acct-port probe-on is only used after the server is marked as dead, to check its availability. Can you confirm this behavior?

  2. How do the following parameters influence RADIUS failover behavior?

    timeout 5
    retransmit 1

    I appreciate your clarification.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Dominique-luz

‎07-20-2025 01:22 PM

1. yes that how it detects and identified as dead.

2. these are optional, you can find more in the documentation of IOS XE how that relevant.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-11/configuration_guide/sec/b_1611_sec_9200_cg/configuring_radius.html

by the way is that Radius you using for device administration or 802.1x ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dominique-luz
Level 1
Level 1
In response to balaji.bandi

‎07-20-2025 02:03 PM

I am using Radius just for 802.1x and MAB

0 Helpful

MHM Cisco World
VIP
VIP

‎07-20-2025 12:02 PM - edited ‎07-20-2025 02:04 PM

Thanks

0 Helpful
Customers Also Viewed These Support Documents