Hello Mukundh,

I would say it's because of this:

aaa-server RADIUS deadtime 10

"While the command may be configured even without having configured the LOCAL method on any of the three authentication and authorization commands described earlier, it only affects operations when a user has configured two methods. Obviously, at this time, the second method must and be LOCAL.

The command specifies the minutes a particular method should be marked unresponsive and skipped. When a AAA server group has been marked unresponsive, the firewall will immediately perform the authentication or authorization against the next method which will be the local firewall user database. Every server in a group must be marked unresponsive before the entire group will be declared unresponsive.

When you configure the deadtime to "0", the AAA server group is never considered unresponsive and all authentication and authorization requests are always attempted against this AAA server group first before using the next method in the method list (for example, falling back to the local user database).

The [no] form of this command restores the aaa-server command to its default value of 10 minutes.

The deadtime begins as soon as the last server in the AAA server group has been marked DOWN. A server is marked down when maximum number of attempts defined in max-attempts has been reached and failed to receive a response. Upon expiration of the deadtime, the AAA server group becomes active and all requests will are submitted once again to the AAA servers in the AAA server group."

So in your case you should be able to use the radius authentication method 10 minutes later the radius server went down,

Please change it to 1 minute, wait and see how it behaves.

Regards,

Julio

Rate all the helpful posts