wired 802.1x and radius-server configuration - Page 2

david.tran · ‎04-25-2013

I have ISE configured for wired 802.1x and I am trying to understand the purpose of this command on the catalyst 6509 switch:

radius-server host 10.7.12.28 auth-port 1812 acct-port 1813 key 123456 test username cciesec idle-time 1

what is the purpose of the account cciesec and idle-time 1? Does it mean that the the switch will attempt to connect to the radius server 10.7.12.28 every 1 minute to see if the radius server is still alive? If so, how does it do it without the password specified?

thanks in advance

r.pfffli · ‎05-03-2013

Octavian Szolga wrote:

I personally do not have a recommendation regarding the timers, but Cisco says in the TrustSec design slides or ISE DeepDives slides that for an ISE implementation with Active Directory Services it would be best to configure a timeout of 10 seconds and 3 retries because in some situations the Domain Controller may be overwhealmed with requests from clients and so on.

It all depends on your particularly deployment and the requested fail-over interval.

Thanks for your reply! Could you please post the link to the TrustSec design slides or ISE DeepDive slides, I would be very interested to read those specific chapter. There are so many design guides on CCO, I have a hard time to find the correct ones :-)

In a customer deployment a colleague was using radius-server dead-criteria time 4 tries 3 due to some test with Windows clients and this was working fine, no timeouts on client side anymore.

As you said, if the timer is too short, the domain controller might end up with troubles...