12-08-2003 08:17 AM - edited 02-20-2020 09:23 PM
I am using a Cisco 2950 Catalyst for 802.1X EAP-TLS based port security. For the radius servers, I'm using the Internet Authentication Service (IAS) for Windows 2000 Server. My problem is, when I list a second radius server for redundancy purposes on the switch, the device cannot authenticate via that server. If I remove the first radius entry and leave the second unchanged, authentication occurs successfully. The error that appears on the IAS server indicates the catalyst is including an inappropiate signature which is the same type of error is the shared secret is set incorrectly. The command I use to establish the two servers is essentially:
radius-server host <IP Address> key <shared secret>
radius-server host <IP Address2> key <shared secret>
I have also tried globalising the shared secredt by removing the key portion of the command above and adding:
radius-server key <shared secret>
but none of the combinations work. In each case, the radius server entered first works correctly and the one entered second does not.
01-09-2004 08:20 AM
Did you ever get a response to this? I have the same problem using IAS on two W2K server in different domains. I had to add any remote users to the first domain listed to have the authentication using the IAS server to work.
01-09-2004 08:42 AM
Thanks for trying to help. We ended up getting around the problem by adding the following two commands:
radius-server retransmit 3
radius-server deadtime 1
02-04-2004 01:15 PM
Hi,
I have a problem trying to add second radius server for redundacy. It does not seem to automatically switch over to seconadary radius server.
Thanks.
02-05-2004 07:19 AM
I did find a solution that worked in our environment. It was to add the following commands on the client:
radius-server retransmit 3
radius-server deadtime 1
This enhanced the failover to operate correctly. Hope that helps.
10-10-2012 03:28 AM
I had the same issue trying to introduce redundancy in my network 802.1x Authentication using IAS on Win 2k3 and NPS on Win2k8, in a multiforest scenario.
I finally got it working introducing a RADIUS Proxy (IAS on Win2k3) with 2 backend server, running respectively Win2k3 (IAS) and Win2k8 (NPS) for each forest.
That simplified my config on networke equipments, such as switches and routers, setting only one radius-server host.
In order to avoid the single point of failure introduced by the Radius proxy, I used a backup solution taking frequent snapshot of the VM running the proxy and deployng at the same time a silent VM ready to boot in case of failover.
Hope I've helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide