Wired 802.1x, ACS 3.3, 2000/XP/OSX supplicant, REDUNDANCY?!

rvaguilera · ‎08-18-2005

Currently piloting wired 802.1x using Cisco ACS 3.3 for RADIUS, Catalyst switches, and 2000/XP/OSX built-in 802.1x supplicants.

Built 2 ACS servers for redundancy, but notice when I down the "primary" server, ports do not get authorized as quickly as we would like (sometimes not at all). I list both radius servers on the switches using the "radius-server" commands.

Is there anyway to speed up the failover?

simonstoll · ‎08-19-2005

Hi

The switch first trys to reach acs 1, and after some time (retransmit x timeout) it trys to connect to the secondary acs. Usualy (at least on a 1200ap) the retransmit is 3 times, the timout is 10 seconds, so that make 30 seconds until it trys to reach the second acs. You can speed that up by changing the following two vaules:

radius-server retransmit (value)

radius-server timout (value in seconds)

plus aditionaly you can play with the value:

radius-server deadtime

to mark a acs as down for a period of time so the switch doesn't try to reach it for that period of time.

I hope that helps.

jimmie25h69 · ‎09-01-2005

On my cat6000, I kept the radius defaults and adjusted the dot1x server-timeout to 10 seconds. The normal machine auth takes about 10 seconds. Upon ACS failure there is an additional 10 seconds totaling 20 seconds for machine auth.

Here are all my settings that work in my 802.1x wired environment with ACS redundancy.

show radius

RADIUS Deadtime: 0 minutes

RADIUS Key:

RADIUS Retransmit: 2

RADIUS Timeout: 5 seconds

Framed-Ip Address Transmit: Disabled

show dot1x

PAE Capability Authenticator Only

Protocol Version 1

system-auth-control enabled

max-req 2

quiet-period 60 seconds

radius-accounting disabled

radius-vlan-assignment enabled

radius-keepalive state enabled

re-authperiod 3600 seconds

server-timeout 10 seconds

shutdown-timeout 300 seconds

supp-timeout 30 seconds

tx-period 7 seconds