04-17-2019 09:28 AM
We have a fresh deployment of wired NAC and would like to have Access Switches send authentication requests to each of our data centers where each has a load balancer with 11 PSN's so it's a fairly large deployment. I thought the configuration was straight forward but at the switch I'm not seeing requests go to data center 2. Here is the config, any thoughts?
radius server DC1-LB-VIP
address ipv4 10.10.10.1 auth-port 1812 acct-port 1813
automate-tester username switch-check probe-on
timeout 15
retransmit 5
key <private>
!
radius server DC2-LB-VIP
address ipv4 10.11.10.1 auth-port 1812 acct-port 1813
automate-tester username switch-check probe-on
timeout 15
retransmit 6
key <private>
aaa group server radius ISE-RADIUS
server name DC1-LB-VIP
server name DC2-LB-VIP
radius-server load-balance method least-outstanding batch-size 5
SWITCH#sho aaa servers
RADIUS: id 1, priority 1, host 10.10.10.1, auth-port 1812, acct-port 1813
State: current UP, duration 49080s, previous duration 19s
Dead: total time 19s, count 0
Quarantined: No
Authen: request 17862, timeouts 497, failover 0, retransmission 497
Response: accept 16301, reject 0, challenge 1064
Response: unexpected 0, server error 0, incorrect 0, time 11ms
Transaction: success 17365, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 1, timeouts 0, failover 0, retransmission 0
Response: accept 1, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 4ms
Transaction: success 1, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 1522, timeouts 350, failover 0, retransmission 350
Request: start 268, interim 0, stop 71
Response: start 268, interim 0, stop 71
Response: unexpected 0, server error 0, incorrect 0, time 6ms
Transaction: success 1172, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 13h38m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 13 hours, 35 minutes ago: 371
low - 13 hours, 38 minutes ago: 0
average: 23
RADIUS: id 2, priority 2, host 10.11.10.1, auth-port 1812, acct-port 1813
State: current UP, duration 49080s, previous duration 13s
Dead: total time 13s, count 0
Quarantined: No
Authen: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 13h38m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 13 hours, 38 minutes ago: 0
low - 13 hours, 38 minutes ago: 0
average: 0
04-17-2019 10:06 AM
04-17-2019 11:11 AM
Understood and I was curious then what this command does?
radius-server load-balance method least-outstanding batch-size 5
Seems like it's been around for over 10 years and is still an option? Would you say flipping the order is the best approach? We have a large Enterprise and use ordering like that in other tools as well so we can follow it, I was hoping there was Switch configuration that could do this work.
Thanks,
Mitch
04-18-2019 07:45 AM
I've never tested this with LB as destination but should loadbalance across the two detinations. Since the batch size is 5 it should be using second VIP after the 5th RADIUS request. If you have more than 5 sessions and it is not using 2nd VIP, then recheck RADIUS server status to make sure both VIPs are marked UP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: