Ok... can you give the exact syntax so that I can test it on my catalyst 6509?

Thanks,

David,

radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number]  [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds]  [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds]

no radius-server host {hostname | ip-address}

Eg:

radius-server host 192.0.2.176 test username test1 auth-port 1645 acct-port 1646

Rate if useful

Here is my delima:

without the "test username cciesec idle-time 1" added, my 802.1x wired machine can get on the network just fine without any issues with ISE authentication. 

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1

radius-server host 10.7.12.29 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1

now my 802.1x machine can NOT authenticate with ISE and I can NOT log into the network.

btw, my 6509 is running version 12.2(33)XI10 with sup 720.

Anyone knows why?

for the 6509 Switch review the following for the commands:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html#wp1070653

Hope this helps

I already reviewed the configuration and my configuration looks good.

Btw, I opened a TAC case with Cisco and after 30 minutes on the call, the TAC engineer has NO answer either.  He confirmed that my configuration looks good.

He will try to replicate it in the lab and get back to me.

I am beginning to have doubt about the ISE product, NOT in a very positive way

Hello David,

I dont think that an engineer like you with a great caliber should ever give up. What I had noticed in the link I provided:

6509 uses dead-criteria for radius monitoring. So use it without

without the "test username cciesec idle-time 1"

as you had been doing. And with the following:

radius-server dead-criteria tries num-tries

I hope you may have already thoroughly reviewed the radius debug output

Ashok Khurana wrote:
Hello David,
I dont think that an engineer like you with a great caliber should ever give up.

First of all, I don't think that I have great caliber. 

yes, I am aware of the radius-server dead-criteria.  However, I do not work for Cisco and I would like to have a solution form someone who have done this before and know how it works, not guessing around. 

My point is that with both "radius-server deat-criteria 5 3" and "test username cciesesec idle-time 1" should do some kind of authentication against the ISE often, right? 

Well, I span the port of the ISE and I am not seeing any authentication check from the switch to the ISE, So, how the switch know when the ISE is not available without checking the ISE every few seconds, like "keepalive radius packet"?

I just want to understand how the "test username cciesec idle-timeout 1" work, not the work-around approach.

Thank you very much for your help.

David

My point is that with both "radius-server deat-criteria 5 3" and  "test username cciesesec idle-time 1" should do some kind of  authentication against the ISE often, right?  

The test username command is an optional method used to verify the availability of a configured radius server by sending authentication messages with the configured username and it checks for a response, whether it receives accept or deny.

The important thing to note regarding this command is that is somehow redundant because in a regular dot1x network, when a user wants to log in, the switch automatically sends radius authentication messages to ISE, and in case that the radius server doesn't respond according to the time window specified by the radius-server dead-criteria time command,  is marked dead.

This means that the test username command is useful onlny for long periods of inactivity when no one logs in, so you proactively check for radius reachability without having any user authentication processes ongoing.

My suggestion is to get rid of test username command and use radius-server dead-criteria time necessarily combined with radius-server deadtime because otherwise the radius server will flap between dead and alive status

Note:

radius-server dead-criteria time X tries Y

X = timeout for the request message sent to ISE

Y = number of messages before giving up (ie - mark server dead)

test username - by default, the requests are sent at 1 hour interval.

radius-server deadtime X - how long to consider the radius server dead before trying again

Octavian Szolga wrote:
This means that the test username command is useful onlny for long  periods of inactivity when no one logs in, so you proactively check for  radius reachability without having any user authentication processes  ongoing. 

My suggestion is to get rid of 
test username
 command and use
 radius-server dead-criteria time
 necessarily combined with 
radius-server deadtime
 because otherwise the radius server will flap between dead and alive status

What you said sound fair but I have to ask, have you ever tested or is this just speculation?

The reason I said that is because I do NOT use radius-server deat-criteria time and and radius-server deadtime and I use test username with the idle-time of 1 minute, and the catalyst switch 6509 has no traffics communicating with the ISE radius when everything is idle.  I can confirm with because the ISE is sitting behind a checkpoint firewall and I am not seeing radius traffics from the switch to the ISE via tcpdump.

It looks to me that the "test username idle-time 1" is broken.  The Cisco TAC engineer couldn't figure it out either

Updated to this issue:  Many thanks to the Cisco TAC engineer Ankur Bajaj for solving this issue.  The correct syntax should be:

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 test username cciesec idle-time 1 key 123456

whereas in my original configuration I had:

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1 which is WRONG.

What Ankur Bajaj said makes sense, if you put "test username cciesec idle-time 1" after the radius key, it will take "123456 test username cciesec idle-time 1" as the radius key.

Even though it makes sense, however, in the ISE log, I am not seeing anything about mismatch radius key so I think it must be another bug on either the catalyst 6509 or another bug on the ISE.

What you said sound fair but I have to ask, have you ever tested or is this just speculation?

Yes I did test it and it works although on different platforms (IOS bug?) it behaves differently.

On a Cat4500 the password sent with the username (I guess) is the radius key and ISE reports bad password for that username but on a 3750 the password sent with the username is the right one - the one configured with username X pass Y command - and ISE reports successful authentication.

What is indeed weird is the fact that you're not seeing at all some authentication requests coming from Cat6500.

Octavian Szolga wrote:
My point is that with both "radius-server deat-criteria 5 3" and  "test username cciesesec idle-time 1" should do some kind of  authentication against the ISE often, right?  
The test username command is an optional method used to verify the availability of a configured radius server by sending authentication messages with the configured username and it checks for a response, whether it receives accept or deny.
The important thing to note regarding this command is that is somehow redundant because in a regular dot1x network, when a user wants to log in, the switch automatically sends radius authentication messages to ISE, and in case that the radius server doesn't respond according to the time window specified by the radius-server dead-criteria time command,  is marked dead.
This means that the test username command is useful onlny for long periods of inactivity when no one logs in, so you proactively check for radius reachability without having any user authentication processes ongoing. 
My suggestion is to get rid of test username command and use radius-server dead-criteria time necessarily combined with radius-server deadtime because otherwise the radius server will flap between dead and alive status 
Note:
radius-server dead-criteria time X tries Y
X = timeout for the request message sent to ISE
Y = number of messages before giving up (ie - mark server dead) 
test username - by default, the requests are sent at 1 hour interval.
radius-server deadtime X - how long to consider the radius server dead before trying again

Do you have a recommendation regarding the values in radius-server dead-criteria time X tries Y

I heard that for example Windows clients end up not connecting at all if the timers are too long. Is there a recommendation?

regards

Roger

Do you have a recommendation regarding the values in 
radius-server dead-criteria time X tries Y

I personally do not have a recommendation regarding the timers, but Cisco says in the TrustSec design slides or ISE DeepDives slides that for an ISE implementation with Active Directory Services it would be best to configure a timeout of 10 seconds and 3 retries because in some situations the Domain Controller may be overwhealmed with requests from clients and so on.

It all depends on your particularly deployment and the requested fail-over interval.