Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
0
Replies

AAA Local Backup not working as expected

tbooth@senegence.com
Level 1
Level 1

‎01-13-2022 04:24 PM - edited ‎01-14-2022 01:33 PM

Hello,

 

This is specifically on a 2960XR.

 

The backup local authentication is not working as I would expect it. I would expect the server group to be determined as dead relatively quickly. However, if I boot the switch up and then try to log in to the console, it just hangs waiting for the radius servers to respond.

 

It takes one hour to mark them as not responding. This is only one example:

 

Jan 14 2022 11:01:10.262 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.x.x.x:1812,1813 is being marked alive.
Jan 14 2022 11:01:10.262 UTC: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.x.x.x:1812,1813 is being marked alive. (due to change in deadtimer)
Jan 14 2022 12:01:15.322 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.119:1812,1813 is not responding.
Jan 14 2022 12:01:20.362 UTC: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.4.149:1812,1813 is not responding.

 

...at which point, I am then able to use local authentication. 

 

This switch is a lab switch and literally plugged into nothing. It had no access to the radius servers for the entirety of the one hour it took for it to determine that the servers are non-responsive.

 

 

How do I get the radius servers to be detected as dead more quickly than one hours, and upon reboot quickly assess that it has no connectivity to the radius servers and allow local login?

 

I couldn't find anything in documentation that helps. I implemented the suggestions shown here: AAA Dead-Server Detection  [Support] - Cisco Systems (to include the deadtime and dead-criteria settings the latter of which is not shown in the configuration below). 

 

Also the automate-tester is also implemented. 

 

Neither seem to work as expected.

 

Thanks.

 

relevant configuration:

 

 

username user privilege 15 secret 5 pass
aaa group server radius RADIUS_GROUP
 server name RAD-1
 server name RAD-2
 ip radius source-interface Vlan100
 deadtime 1
 retransmit 5
 timeout 10
!
aaa authentication login default group RADIUS_GROUP local
aaa authentication enable default enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group RADIUS_GROUP local if-authenticated 
aaa accounting exec default start-stop group RADIUS_GROUP
!
radius-server dead-criteria time 5 tries 3
!
radius server RAD-1
address ipv4 192.x.x.x auth-port 1812 acct-port 1813
automate-tester username dummy
key x
!
radius server RAD-2
address ipv4 192.x.x.x auth-port 1812 acct-port 1813
automate-tester username dummy
key x

 

 

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card