Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
5
Replies

AAA Authentication doesn't failover to second AAA Server

mishadib
Level 1
Level 1

‎01-22-2024 12:03 AM - edited ‎01-22-2024 01:11 AM

HI all, 

I hope somebody can help me with the following situation:

I have AAA enabled on our switches with 3 NPS servers. All users ports have 802.1x enabled. If the first NPS server goes down the users can't authenticate anymore. Even though I can still authenticate via SSH (also using NPS) on the switch ( so failover for ssh still works) users can't. Bellow i posted the config : 

macro name 802.1X
no cdp enable
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation shutdown
switchport port-security aging type inactivity
dot1x pae authenticator
dot1x host-mode single-host
dot1x port-control auto
dot1x timeout tx-period 15
dot1x timeout tx-period 3
dot1x guest-vlan ###-guest vlan
dot1x auth-fail vlan ###-guest vlan
dot1x auth-fail max-attempts 1
spanning-tree portfast
spanning-tree bpduguard enable
no macro description

 

interface GigabitEthernet1/0/15
switchport access vlan ###- user vlan
switchport mode access
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
no cdp enable
authentication event fail retry 3 action authorize vlan ###-guest vlan
authentication event no-response action authorize vlan ###-guest vlan
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
spanning-tree bpduguard enable

radius server A
address ipv4 AAAA auth-port 1645 acct-port 1646
key 7 .......
!
radius server B
address ipv4 BBBB auth-port 1645 acct-port 1646
key 7 ......
!
radius server C
address ipv4 CCCC auth-port 1645 acct-port 1646
key 7 .....

aaa new-model
!
!
aaa group server radius AAA_RADIUS
server name A
server name B
server name C

!

aaa authentication login default local
aaa authentication login AAA_RADIUS group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius local if-authenticated
!
!
!
!
!
!
aaa session-id common

PS: Switches are 9300s and 3600s 

Labels:
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎01-22-2024 01:29 AM

These are all config 

MHM

0 Helpful

mishadib
Level 1
Level 1

‎01-23-2024 09:50 AM

I am not sure what you mean by that. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to mishadib

‎01-23-2024 09:57 AM

You edit your post now I see aaa config 

Can you try config 

Aaa authentication dot1x defualt group AAA_RADIUS

MHM

0 Helpful

mishadib
Level 1
Level 1

‎01-23-2024 09:57 AM

I tried adding the command radius-server retry method reorder and I also added the radius-server dead-criteria time 5 tries 3  and dead server deadtime 5 
In my test environment, it seems to be working. I enabled this in one of our offices to see if it has any side-effects, and if not I will role it company-wide. After I added these commands I noticed under show aaa servers the server that I deliberately changed the IP to simulate it as dead, was showing  dead, and the test client was authenticating to the next server. Before that somehow the switch was not identifying the NPS server as dead. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-23-2024 05:28 PM

as you already in the track of testing, that is settings missed - 

 

balajibandi_0-1706059602381.png

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card