Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
2
Helpful
5
Replies

radius AAA server is not redundant and failover to the second AAA

Mohd Khairul Nizam
Level 4
Level 4

‎10-01-2024 07:37 PM

on the switch we have two radius server entry.
server A
server B
the radius server A is down and unreachable.
issues happen where all the endpoint in LAN not able to authenticate to radius server.
show radius AAA server output show that the priority is 1 and still point to server A

Question, why the switch is not auto/redundant/failover to server B??

to mitigate this issues, we removed the server A from the running-config

Labels:
5 Replies 5

ammahend
VIP Alumni
VIP Alumni

‎10-01-2024 09:51 PM

Radius service down does not mean server is down, if server A is pingable request will still go to Server A first.

these values can be configured globally or a per radius server basis, for instance

Device(config-radius-server)# retransmit 5

Specifies how many times the device transmits each RADIUS request to the server before giving up (the default is 3).  

similarly

Device(config-radius-server)# timeout 3

Specifies for how many seconds a device waits for a reply to a RADIUS request before retransmitting the request.

based on these values device will wait before trying Server B

-hope this helps-
0 Helpful

Mohd Khairul Nizam
Level 4
Level 4

‎10-01-2024 10:19 PM

Meaning we need to configure this timeout and retransmit in the config.

This is when the problem happen
server A - 10.2x4.x.94
server B - 10.2x6.x.94
It still not failover to server B

Hostname02#sh aaa servers

RADIUS: id 1, priority 1, host 10.2x4.x.94, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Platform State: current UP, duration 67s, previous duration 0s
Platform Dead: total time 0s, count 432
Quarantined: No
Authen: request 11096, timeouts 4299, failover 0, retransmission 3227
Response: accept 621, reject 142, challenge 6034
Response: unexpected 0, server error 0, incorrect 0, time 101ms
Transaction: success 6797, failure 1072
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 980, timeouts 37, failover 0, retransmission 28
Request: start 332, interim 0, stop 330
Response: start 331, interim 0, stop 322
Response: unexpected 0, server error 0, incorrect 0, time 46ms
Transaction: success 943, failure 9
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 7w6d2h1m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 7 hours, 15 minutes ago: 1126
low - 2 hours, 1 minutes ago: 0
average: 1

RADIUS: id 2, priority 2, host 10.2x6.x.94, auth-port 1812, acct-port 1813
State: current UP, duration 4294967s, previous duration 0s
Dead: total time 0s, count 0
Platform State: current UP, duration 4759299s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No
Authen: request 1073, timeouts 1, failover 1072, retransmission 1
Response: accept 1, reject 3, challenge 1068
Response: unexpected 0, server error 0, incorrect 0, time 231ms
Transaction: success 1072, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 12, timeouts 4, failover 9, retransmission 3
Request: start 1, interim 0, stop 8
Response: start 1, interim 0, stop 7
Response: unexpected 0, server error 0, incorrect 0, time 211ms
Transaction: success 8, failure 1
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 7w6d2h1m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 7 hours, 11 minutes ago: 1130
low - 2 hours, 1 minutes ago: 0
average: 0

MHM Cisco World
VIP
VIP
In response to Mohd Khairul Nizam

‎10-01-2024 11:28 PM

But as I see both server is UP and there is no previous duration meaning it not flapping' can you confirm if server A is down or not.

MHM

0 Helpful

Mohd Khairul Nizam
Level 4
Level 4

‎10-02-2024 12:48 AM - edited ‎10-02-2024 12:53 AM

Yes on day 1 - the server A still UP in term of connectivity but services not working (consider the server is down)
then we shutdown the server A
on endpoint end , still not able to authenticate, I think due to i dont have any global config of retransmit and timeout as mention by @ammahend 

Currently on my SW config there is no mention of retransmit and timeout , just an entry of 2 radius server , server A & B

0 Helpful

MHM Cisco World
VIP
VIP
In response to Mohd Khairul Nizam

‎10-02-2024 01:55 AM

Friend these settings is run by defualt' in some little cased we change these defualt values.

Please share show aaa server when serverA is down

MHM

 

0 Helpful
Customers Also Viewed These Support Documents