Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
3
Replies

Radius Deadtime 60 - Would WAN failure mean both AAA servers marked dead for 60 mins

Cisco Junky
Level 1
Level 1

‎12-15-2016 09:30 AM - edited ‎03-08-2019 08:35 AM

Hi All,

We are deploying 802.1x/MAB with ISE. The configuration that has been suggested in terms of AAA server and deadtimer is:

!

aaa group server radius ISE

server name A

Server name B

deadtime 60

!

radius-server dead-criteria time 5 tries 3

!

My understanding of this configuration is that the switch will send a keepalive and if it does not receive a response within 5 seconds 3 times in a row it will mark that sever Dead. So if Server A goes Dead server B takes over for 60 mins and this stop flapping between Radius servers.

!

However, what would happen in a WAN failure scenario. What I am worried about is both Servers being marked dead for 60 minutes, where the WAN may be restored within 5 minutes. We would then not be able to authenticate any new devices, and if this feel on the reauth timer devices would be blocked from the network.

Any explanation on this would be great.

Labels:
0 Helpful
3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

‎12-15-2016 09:39 AM

Hi,

If you have a WAN failure, neither servers will be reachable and so not available.

So, if you have a second WAN link, that maybe one solution, if not you may want to have one of the servers local to users and have them authenticate locally and not rely on WAN connectivity.

HTH

0 Helpful

Cisco Junky
Level 1
Level 1
In response to Reza Sharifi

‎12-15-2016 01:17 PM

I fully understand the connectivity to the radius servers and the wan connectivity. 

My question is more around the deadtimer. If the WAN went down both Radius servers with the abover configuration (deadtime 60) would be marked dead for 60 minutes. 

If the WAN re-established after 5 minutes the Radius servers would still be marked dead for 55 minutes??

This would obviously be undesirable   As we would want the servers to be marked UP as soon as the WAN was back. 

Hope that clarifies the question!!!

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Cisco Junky

‎12-15-2016 01:50 PM

Yes, thanks for clarifying. Looking at the command line you are correct. The dead time in your case with be for 60 minutes which is not good. Maybe you want to set the dead time to 4 or 5 minutes. From the command line:

Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.

Examples

The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:

aaa group server radius group1


server 1.1.1.1 auth-port 1645 acct-port 1646


server 2.2.2.2 auth-port 2000 acct-port 2001


deadtime 1

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfrad.html#wp1023772
HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card