03-26-2018 07:53 AM - edited 02-21-2020 10:51 AM
Hi,
I have a 3750X switch that is integrated with an ISE cluster for 802.1x authentication, during HA testing I shutted down the entire ISE cluster and I noticed that the switch is marking the ISE nodes as Alive and then Dead repeatedly:
*Jan 2 19:34:47.776: %RADIUS-6-SERVERALIVE: Group ISE: Radius server 192.168.0.211:1645,1646 is responding again (previously dead).
*Jan 2 19:34:47.776: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.0.211:1645,1646 is being marked alive.
*Jan 2 19:34:53.648: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.0.211:1645,1646 is not responding.
*Jan 2 19:34:58.119: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A03244000000680433B71F
*Jan 2 19:34:58.119: %MAB-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A03244000000680433B71F
*Jan 2 19:35:18.504: %DOT1X-5-FAIL: Authentication failed for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A03244000000670433B224
*Jan 2 19:35:18.713: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A03244000000670433B224
*Jan 2 19:35:28.058: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.0.212:1645,1646 is being marked alive.
*Jan 2 19:35:28.872: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.0.212:1645,1646 is not responding.
*Jan 2 19:35:33.905: %RADIUS-3-ALLDEADSERVER: Group ISE: No active radius servers found. Id 142.
*Jan 2 19:35:40.356: %DOT1X-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A032440000006A04345C13
*Jan 2 19:35:40.356: %MAB-5-FAIL: Authentication failed for client (e8ed.f3a9.a038) on Interface Gi1/0/4 AuditSessionID A6A032440000006A04345C13
*Jan 2 19:35:48.317: %DOT1X-5-FAIL: Authentication failed for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A032440000006904344E93
*Jan 2 19:35:48.602: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (fc4d.d439.9854) on Interface Gi1/0/3 AuditSessionID A6A032440000006904344E93
The two servers are completely down, how can the switch marked them as alive if there is no answer?
There are not repeated ip addresses.
This is causing me issues because the authentication proccess for the users tries to start again and again.
This is the radius configuration:
aaa group server radius ISE
server 192.168.0.211
server 192.168.0.212
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 192.168.0.211 server-key XXXXXXXXXX
client 192.168.0.212 server-key XXXXXXXXXX
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 192.168.0.211 auth-port 1645 acct-port 1646 test username test-radius key 7 XXXXXXXXXXXX
radius-server host 192.168.0.212 auth-port 1645 acct-port 1646 test username test-radius key 7 XXXXXXXXXXXX
radius-server deadtime 2
radius-server vsa send accounting
radius-server vsa send authentication
Any suggestions?
Thanks in advanced.
03-26-2018 08:02 AM
Do you see any hits in the ISE Live Authentication logs?
03-26-2018 08:19 AM
Hi,
The two ise nodes and shutted down, but the switch says that suddenly gets response.
03-26-2018 09:06 AM
Hi,
Do you have the interface level command configured for dead/alive actions?
E.g
authentication event server dead action authorize vlan
authentication event server dead action authorize voice
authentication event server alive action reinitialize
03-26-2018 02:04 PM - edited 03-26-2018 02:05 PM
Hi,
You have
radius-server dead-criteria time 5 tries 3
radius-server deadtime 2
You use a timeout of 5 seconds. If no response is received within 5, retry for max. 3 times.
If still no response, mark the server as down for 2 minutes, after which you should mark it alive in order to try again...
Please configure radius-server deadtime to 10 minutes and try again.
Thanks,
Octavian
09-03-2020 01:44 AM
hi,
I shared a few things about the issue solution. I recommend you to look.
https://community.cisco.com/t5/switching/detect-up-down-radius-server/m-p/4145622/highlight/true#M492353
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide