Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5411
Views
20
Helpful
1
Replies

radius server redundancy config

dan.letkeman
Level 4
Level 4

‎12-09-2012 06:40 PM - edited ‎02-20-2020 09:43 PM

Hello,

Having some trouble with my redundant radius server config.  I have configured the switch to use two different radius servers in a group.

When I shutdown one of the radius servers the switch still requests a connection to the down server, then times out and tries the secondary server, but the last message I see is "access-challenge" on the radius servers and it stalls there.  The only way I can get it to work again is wait a long time or a shut, no shut on the port.  So it seems as if the redundancy is working but not all of the messages are getting through, when it fails over to the redundant server.

I'm also seeing these messages when I shut off the radius server.   Don't think I should be seeing the alive message when its off.

Dec 10 01:38:08.246: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.200.10:1812,1813 is not responding.

Dec 10 01:39:08.250: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.200.10:1812,1813 is being marked alive.

3560G 15.0(1)SE3

Relevant config:

aaa group server radius gvsd_radius

server name radius1

server name radius2

!

aaa authentication dot1x default group gvsd_radius

aaa authorization network default group gvsd_radius

aaa accounting dot1x network start-stop group gvsd_radius

!

dot1x system-auth-control

!

interface GigabitEthernet0/16

switchport access vlan 1125

switchport mode access

authentication port-control auto

authentication periodic

dot1x pae authenticator

spanning-tree portfast

!

radius-server retransmit 5

radius-server deadtime 1

!

radius server radius2

address ipv4 10.11.200.11 auth-port 1812 acct-port 1813

key cisco

!

radius server radius1

address ipv4 10.11.200.10 auth-port 1812 acct-port 1813

key cisco

!

Here is an example.  I had 10.11.200.10(radius1) running, authenticated successfully  then shut it off.  With 10.11.200.11(radius2) the only one running I did a shut, no shut on G0/16. 

logs:

Dec 10 02:32:15.151: RADIUS/ENCODE(000004F2):Orig. component type = Dot1X

Dec 10 02:32:15.151: RADIUS(000004F2): Config NAS IP: 0.0.0.0

Dec 10 02:32:15.151: RADIUS(000004F2): Config NAS IPv6: ::

Dec 10 02:32:15.151: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for Radius-Server 10.11.200.1

0

Dec 10 02:32:15.151: RADIUS(000004F2): Sending a IPv4 Radius Packet

Dec 10 02:32:15.151: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:17.106: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up

802.1x(config-if)#

Dec 10 02:32:19.815: RADIUS(000004F2): Request timed out

Dec 10 02:32:19.815: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184

Dec 10 02:32:19.815: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:24.580: RADIUS(000004F2): Request timed out

Dec 10 02:32:24.580: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184

Dec 10 02:32:24.580: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:29.353: RADIUS(000004F2): Request timed out

Dec 10 02:32:29.353: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184

Dec 10 02:32:29.353: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:33.145: RADIUS/ENCODE(000004F2):Orig. component type = Dot1X

Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS IP: 0.0.0.0

Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS IPv6: ::

Dec 10 02:32:33.145: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for Radius-Server 10.11.200.10

Dec 10 02:32:33.145: RADIUS(000004F2): Sending a IPv4 Radius Packet

Dec 10 02:32:33.145: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:34.319: RADIUS(000004F2): Request timed out

Dec 10 02:32:34.319: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184

Dec 10 02:32:34.319: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:38.119: RADIUS(000004F2): Request timed out

Dec 10 02:32:38.119: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185

Dec 10 02:32:38.119: RADIUS(000004F2): Started 5 sec timeout

Dec 10 02:32:38.656: RADIUS(000004F2): Request timed out

Dec 10 02:32:38.656: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184

Dec 10 02:32:38.656: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:42.758: RADIUS(000004F2): Request timed out

Dec 10 02:32:42.767: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185

Dec 10 02:32:42.767: RADIUS(000004F2): Started 5 sec timeout

Dec 10 02:32:43.471: RADIUS(000004F2): Request timed out

Dec 10 02:32:43.471: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id 1645/184

Dec 10 02:32:43.471: RADIUS:  authenticator 77 4E 8B 50 10 D5 86 A4 - 78 32 47 FE 83 B0 1E BE

Dec 10 02:32:43.471: RADIUS:  User-Name           [1]   23  "host/user@example.com"

Dec 10 02:32:43.471: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Dec 10 02:32:43.471: RADIUS:  Framed-MTU          [12]  6   1500

Dec 10 02:32:43.471: RADIUS:  Called-Station-Id   [30]  19  "9C-AF-CA-F4-40-10"

Dec 10 02:32:43.471: RADIUS:  Calling-Station-Id  [31]  19  "64-31-50-7D-72-DE"

Dec 10 02:32:43.471: RADIUS:  EAP-Message         [79]  28

Dec 10 02:32:43.471: RADIUS:   02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40 65 78 61 6D 70 6C  [host

/user@exampl]

Dec 10 02:32:43.471: RADIUS:   65 2E 63 6F 6D             [ e.com]

Dec 10 02:32:43.471: RADIUS:  Message-Authenticato[80]  18

Dec 10 02:32:43.471: RADIUS:   9E E2 EE 64 F7 3E 21 37 20 EB 75 10 44 82 0C 46          [ d>!7 uDF]

Dec 10 02:32:43.471: RADIUS:  EAP-Key-Name        [102] 2   *

802.1x(config-if)#

Dec 10 02:32:43.471: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Dec 10 02:32:43.471: RADIUS:  NAS-Port            [5]   6   50016

Dec 10 02:32:43.471: RADIUS:  NAS-Port-Id         [87]  21  "GigabitEthernet0/16"

Dec 10 02:32:43.471: RADIUS:  NAS-IP-Address      [4]   6   10.11.200.73

Dec 10 02:32:43.471: RADIUS(000004F2): Started 5 sec timeout

Dec 10 02:32:44.478: RADIUS: Received from id 1645/184 10.11.200.11:1812, Access-Challenge, len 80

Dec 10 02:32:44.478: RADIUS/DECODE: EAP-Message fragments, 22, total 22 bytes

802.1x(config-if)#

Dec 10 02:32:47.666: RADIUS(000004F2): Request timed out

Dec 10 02:32:47.666: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185

Dec 10 02:32:47.666: RADIUS(000004F2): Started 5 sec timeout

802.1x(config-if)#

Dec 10 02:32:52.070: RADIUS(000004F2): Request timed out

Dec 10 02:32:52.070: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.200.10:1812,1813 is not responding.

Dec 10 02:32:52.070: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id 1645/185

Dec 10 02:32:52.070: RADIUS:  authenticator EB 8C C4 3F 9B 64 20 D1 - 29 55 5C 79 37 AA F2 58

Dec 10 02:32:52.070: RADIUS:  User-Name           [1]   23  "host/user@example.com"

Dec 10 02:32:52.070: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Dec 10 02:32:52.070: RADIUS:  Framed-MTU          [12]  6   1500

Dec 10 02:32:52.070: RADIUS:  Called-Station-Id   [30]  19  "9C-AF-CA-F4-40-10"

Dec 10 02:32:52.070: RADIUS:  Calling-Station-Id  [31]  19  "64-31-50-7D-72-DE"

Dec 10 02:32:52.070: RADIUS:  EAP-Message         [79]  28

Dec 10 02:32:52.070: RADIUS:   02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40 65 78 61 6D 70 6C  [host

/user@exampl]

Dec 10 02:32:52.070: RADIUS:   65 2E 63 6F 6D             [ e.com]

Dec 10 02:32:52.070: RADIUS:  Message-Authenticato[80]  18

Dec 10 02:32:52.070: RADIUS:   9D 5E 7D 18 0D 3D 42 12 B5 37 23 C8 F8 C5 51 31          [ ^}=B7#Q1]

Dec 10 02:32:52.070: RADIUS:  EAP-Key-Name        [102] 2   *

Dec 10 02:32:52.070: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Dec 10 02:32:52.070: RADIUS:  NAS-Port            [5]   6   50016

Dec 10 02:32:52.070: RADIUS:  NAS-Port-Id         [87]  21  "GigabitEthernet0/16"

802.1x(config-if)#

Dec 10 02:32:52.070: RADIUS:  NAS-IP-Address      [4]   6   10.11.200.73

Dec 10 02:32:52.070: RADIUS(000004F2): Started 5 sec timeout

Dec 10 02:32:52.078: RADIUS: Received from id 1645/185 10.11.200.11:1812, Access-Challenge, len 80

Dec 10 02:32:52.078: RADIUS/DECODE: EAP-Message fragments, 22, total 22 bytes

802.1x(config-if)#

Dec 10 02:33:52.074: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.200.10:1812,1813 is being marked al

ive.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Cisco User
Level 1
Level 1

‎09-11-2014 07:16 AM

Even though they say they are removing "radius-server" from the CLI and moving to "radius server #name#" if you want failover to work, you will still need to add:

 

radius-server retry method reorder
radius-server retransmit 0

 

Cisco hasn't added the equivalent commands for the new radius server CLI subs yet, so if you didn't have them in already, you probably forgot to add them.

I was having the exact issue, the devices authenticating with MAB were working fine, but the switch wasn't even sending the DOT1X to the failover radius server.  The above lines resolved it.

Reference:

http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_rad_reorder_fail.html

 

(I know the post is old, but an answer being here would have saved me some trouble, so I'm adding it)

 

Customers Also Viewed These Support Documents