cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1489
Views
0
Helpful
9
Replies

New Windows Network policy and access server (Radius) not working

scottcummins
Level 1
Level 1

CISCO Gurus

 

I currently have an older Windows 2008 Server set up as a RADIUS and all worksa well. I built a new Windows Server 2019 RADIUS Server to replace it. theyt are BOTH Virtual MAchines in a VM enbvironment. If I change the settings inside of one of my CISCOP 3750 switches to point to the new one it works fine

 

However if I chage the IP and name of the new one to the IP and name of the old one. it does not work. and the company wireless stops working.  I am wondering if there is some cache that might have to be cleared of a MAC address or if someone had seen this before?

9 Replies 9

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Since you don't explicitly mention it in your method, does the new server have the same shared RADIUS secrets for all devices  as the old one?

 

cheers,

Seb.

Seb

 

yes, Same shared secrets as the old one

Sorry, should have read the first paragrpah! :)

 

Try clearing the ARP cache of the switch which routes the VLAN which the RADIUS server is connected to:

 

clear arp-cache <server_ip_address>

 

This will force the switch to ARP for the new server.

 

cheers,

Seb.

 

 

 

SEB

 

SO the VM infrastructiure is connected to a pair of switches that forwards traffic to a core 6509 which actually does the VLAN routing. Would clearing the cache on the switches the VM infrastructure is connected to do it, or do I actually need to clear the cache on the 6509? I don't really want to do anything on the core 6509 switches during businees hours ( I think I already know the answer, but verification from a more seasoned expert is always a plus)

 

 

 

SEB

 

I know that clearing the APR cache of just that IP/MAC is pretty safe, SOI if I go ahead and chanage the new server to ther IP and name of the old one. It should be safe to then clear it and wait a few minutes. 

If the 6509 is doing the routing for the VLAN then that is where you want to issue the command.

 

It is worth pointing out that as soon as the 6509 receives an Ethernet frame from the new server, it will contain an IP header which it will use to automatically update the ARP cache.

 

Clearing a specific ARP entry forces the switch to ARP for the server when it receives a new packet destined to the server (for which it no longer has an ARP entry for).

 

Since you are only purging a single entry this is perfectly safe to do.

 

cheers,

Seb.

 

 

Seb or anyone

 

That did not wotk, I tried it twice. Could it be something else. I immediately thought the same thing. It should work

Can you confirm that the new server is not receiving the RADIUS packets? Running wireshark and filtering with the keyword 'radius' should tell us what we need to know. Perhaps ensure the windows firewall is disabled to rule that out.

 

If we see traffic incoming, then there is some sort of RADIUS service problem, if there is no traffic then we can look at running a traffic capture on the 6509 on the SVI where the RADIUS traffic is routed.

 

cheers,

Seb.

Seb

 

I will do so and let you know what I see

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: