We are deploying 802.1x/MAB with ISE. The configuration that has been suggested in terms of AAA server and deadtimer is:
aaa group server radius ISE
server name A
Server name B
radius-server dead-criteria time 5 tries 3
My understanding of this configuration is that the switch will send a keepalive and if it does not receive a response within 5 seconds 3 times in a row it will mark that sever Dead. So if Server A goes Dead server B takes over for 60 mins and this stop flapping between Radius servers.
However, what would happen in a WAN failure scenario. What I am worried about is both Servers being marked dead for 60 minutes, where the WAN may be restored within 5 minutes. We would then not be able to authenticate any new devices, and if this feel on the reauth timer devices would be blocked from the network.
Any explanation on this would be great.
If you have a WAN failure, neither servers will be reachable and so not available.
So, if you have a second WAN link, that maybe one solution, if not you may want to have one of the servers local to users and have them authenticate locally and not rely on WAN connectivity.
I fully understand the connectivity to the radius servers and the wan connectivity.
My question is more around the deadtimer. If the WAN went down both Radius servers with the abover configuration (deadtime 60) would be marked dead for 60 minutes.
If the WAN re-established after 5 minutes the Radius servers would still be marked dead for 55 minutes??
This would obviously be undesirable As we would want the servers to be marked UP as soon as the WAN was back.
Hope that clarifies the question!!!
Yes, thanks for clarifying. Looking at the command line you are correct. The dead time in your case with be for 60 minutes which is not good. Maybe you want to set the dead time to 4 or 5 minutes. From the command line:
Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.
The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:
aaa group server radius group1
server 184.108.40.206 auth-port 1645 acct-port 1646
server 220.127.116.11 auth-port 2000 acct-port 2001