Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
0
Replies

Question about radius dead-criteria and parameters

NicolasDemonty
Level 1
Level 1

‎10-28-2015 08:24 AM - edited ‎03-10-2019 11:11 PM

Hi all,

according to the documentation, the radius dead-criteria must be set as

- tries = radius-server retransmit value

- time = radius-server retransmit X radius-server timeout.

However here are the definition of the different parameters :

- time = minimum number of second after a valid radius server answer before setting the server DEAD.

- tries = number of retransmit

- radius-server timeout = time after which the switch send again the answered request

- radius-server retransmit = number of retransmission after timeout.

According to the config in the end of this post, what is the behaviour of the switch regarding the state DEAD or not ?

Switch ------------(request)----------------> Radius            t

Switch <-----------(valid answer)--------- Radius              time = 0

Switch ------------(request)----------------> Radius

                          timeout 10s

Switch ------------(request)----------------> Radius

                          timeout 10s                                        time = 20s somewhere here the time dead-criteria has been met

Switch ------------(request)----------------> Radius          here the tries criteria is met and then the server is marked DEAD at the same time

If the switch here gets a valid answer from the Radius (which is considered DEAD), what does happen ? Is the switch back marked UP ? even if the request has just been sent at the same time that the Radius has been marked DEAD ?

I consider to use the probe-on and test to test the reachability but what is the behaviour in the previous case ?

Many thanks in advance


radius server <RADIUS_NAME1>                                               
 address ipv4 <RADIUS_IP1> auth-port <AUTH_PORT> acct-port <ACCT_PORT>
 retransmit 2                               #Specifies how many times the switch retransmits each radius request to the server before giving up.
 timeout 10                                 #Specifies for how many seconds a switch waits for a reply to a radius request before retransmitting the request.
 key 7 <KEY>                           
!

#With retransmit 2 and timeout 10, the switch will give up after 30sec.

aaa group server radius RADIUS-SRV                                        
 server name <RADIUS_NAME1>                                             
 server name <RADIUS_NAME2>                                             
 ip radius source-interface <SOURCE_INT>                              
 ip vrf forwarding <VRF>                                               
 deadtime 1                                     #Specify the number of minutes before a dead server is tested to check wether it has come back up.
!

radius-server dead-criteria time 20 tries 2

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents