C9300 AAA Radius automate-tester not working

stefan.mathys · ‎04-24-2020

Hi,
the radius Command "automate-tester" (keepalive) does not work with our C9300-24P (IOS 09.16.04 same problen on 16.09.05).

I have two identically configured switches, but the "automate-tester" (keepalive) works only on one switch (Switch No.3). I recive only Requets from SWITCH-03.

On the second switch-04 the status is "dead until" I send a TEST (test aaa group RADIUS keepalive password legacy) , then the status comes UP, but Keepalive does not send.
Reloading from the switch does not work either.

I can delete and reconfigure the configuration, but the servers are DEAD as long as no request comes to the radius.

Why does one switch send keepalives and the other one not work?

What is the best order to configure AAA radius ?

We don't have VRF configured.

Configuration SWITCH-03:

aaa group server radius RADIUS
server name RADIUS-01
server name RADIUS-02

deadtime 30
load-balance method least-outstanding ignore-preferred-server
!
!
radius server RADIUS-01
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
automate-tester username keepalive
key 123456
!
radius server RADIUS-02
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
automate-tester username keepalive
key 123456
!

SWITHC-03#sh aaa servers | in State:
State: current UP, duration 240698s, previous duration 13s
State: current UP, duration 240651s, previous duration 60s

>>> Keepalive is ok

------------------------------------------------------------

Configuration SWITCH-04:

aaa group server radius RADIUS
server name RADIUS-01
server name RADIUS-02

deadtime 30
load-balance method least-outstanding ignore-preferred-server
!
!
radius server RADIUS-01
address ipv4 10.10.10.11 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
automate-tester username keepalive
key 123456
!
radius server RADIUS-02
address ipv4 10.10.10.12 auth-port 1812 acct-port 1813
timeout 2
retransmit 1
automate-tester username keepalive
key 123456
!

SWITHC-04#sh aaa servers | in State:

SWITHC-04#test aaa group RADIUS keepalive password legacy
Attempting authentication test to server-group RADIUS using radius
User authentication request was rejected by server.

SWITHC-04##sh aaa servers | in State:
State: current UP, duration 5077s, previous duration 61889s
State: current DEAD, duration 67173s, previous duration 39s

>>> still no Keepalive

Thank you for your help

marce1000 · ‎04-24-2020

- As far as one switch reports User authentication request was rejected by server ; you may check the radius logs for these particular requests and check the failure reason.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

stefan.mathys · ‎04-24-2020

Hi M,
both Switches has a connect to the Radius and if i make a manual test with this command "test aaa group RADIUS keepalive password legacy" I receive an answer form Radius.

In my Radius I can see everey hour a Request from switch-03 form the automatet-test with a user "radkeepalive"
But switch-04 do nothing automated... I see only requests form switch-04 if I do a manual test or i connect a 802.1x client. I'm wondering why is automate-tester working on switch-03 and not working on Switch-04. I compared the config, IOS, Switch Type.. same same..