cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
181
Views
0
Helpful
3
Replies
Beginner

Radius Deadtime 60 - Would WAN failure mean both AAA servers marked dead for 60 mins

Hi All,

We are deploying 802.1x/MAB with ISE. The configuration that has been suggested in terms of AAA server and deadtimer is:

!

aaa group server radius ISE

server name A

Server name B

deadtime 60

!

radius-server dead-criteria time 5 tries 3

!

My understanding of this configuration is that the switch will send a keepalive and if it does not receive a response within 5 seconds 3 times in a row it will mark that sever Dead. So if Server A goes Dead server B takes over for 60 mins and this stop flapping between Radius servers.

!

However, what would happen in a WAN failure scenario. What I am worried about is both Servers being marked dead for 60 minutes, where the WAN may be restored within 5 minutes. We would then not be able to authenticate any new devices, and if this feel on the reauth timer devices would be blocked from the network.

Any explanation on this would be great.

3 REPLIES 3
VIP Expert

Hi,

Hi,

If you have a WAN failure, neither servers will be reachable and so not available.

So, if you have a second WAN link, that maybe one solution, if not you may want to have one of the servers local to users and have them authenticate locally and not rely on WAN connectivity.

HTH

Beginner

I fully understand the

I fully understand the connectivity to the radius servers and the wan connectivity. 

My question is more around the deadtimer. If the WAN went down both Radius servers with the abover configuration (deadtime 60) would be marked dead for 60 minutes. 

If the WAN re-established after 5 minutes the Radius servers would still be marked dead for 55 minutes??

This would obviously be undesirable   As we would want the servers to be marked UP as soon as the WAN was back. 

Hope that clarifies the question!!!

VIP Expert

Yes, thanks for clarifying.

Yes, thanks for clarifying. Looking at the command line you are correct. The dead time in your case with be for 60 minutes which is not good. Maybe you want to set the dead time to 4 or 5 minutes. From the command line:

Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.

Examples

The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:

aaa group server radius group1

server 1.1.1.1 auth-port 1645 acct-port 1646

server 2.2.2.2 auth-port 2000 acct-port 2001

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards