Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4423
Views
25
Helpful
8
Replies

WLC 9800 RADIUS failover failure

Go to solution
lawrence.allhands
Level 1
Level 1

‎05-23-2022 11:22 AM - edited ‎05-23-2022 11:23 AM

So we were upgrading our RADIUS servers and when we did we noticed that the RADIUS failover did not happen as expected. I'm thinking my predecessor has the AAA Advanced settings set up incorrectly but I am not familiar with this model controller. Can someone verify the correct settings/behavior for the "AAA Advanced" for proper RADIUS failover on a WLC 9800-80 running 17.3.5a?

 

What I have now is

 

Retransmit Count = 3

Timeout Interval (seconds) = 5

Dead Time (Minutes) = Not configured - so I assume it is default of 5 minutes.

 

unnamed.png

 

When digging in I read here (https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_aaa_dead_server_detection.html) that you can set up dead server detection criteria. So my question is, if you don't have any dead server detection criteria set up, will you ever get a failover? 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎05-24-2022 12:13 AM

 

                     - Informational : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtl06706

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

8 Replies 8

Go to solution
Flavio Miranda
VIP
VIP

‎05-23-2022 11:31 AM

Hi

 It must use a default value. I dont believe that exist correct value for this. It will depend on your environment. Basically, if you are starting fresh, you should use Cisco recommendation.

 

 

What is the output of :

 

show run | s dead-criteria

 

sh aaa dead-criteria radius <server>

 

 

0 Helpful

Go to solution
lawrence.allhands
Level 1
Level 1
In response to Flavio Miranda

‎05-24-2022 05:49 AM - edited ‎05-24-2022 05:59 AM

So when I #sho run | s dead-criteria shows nothing as it is not configured. The question I have is do I need to have that configured in order for RADIUS fail over to occur properly?

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-23-2022 04:36 PM

For me Dead server detection works. My config is as below

aaa group server radius ISE-Corp
server name psn-002
server name psn-001
deadtime 5

!

radius server psn-001
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
timeout 5
retransmit 3
automate-tester username wlc-keepalive
key 12345

!

radius server psn-002
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
timeout 5
retransmit 3
automate-tester username wlc-keepalive
key 12345

!

radius-server dead-criteria time 5 tries 3
radius-server deadtime 5

!

More on this https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=following%20GUI%20settings%3A-,RADIUS%20server%20timeout,-RADIUS%20authentication%20and

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
lawrence.allhands
Level 1
Level 1
In response to Arshad Safrulla

‎05-24-2022 05:51 AM

Thanks for sharing! That is helpful. The question I have is, do we need to set the dead-time criteria for a fail over to work? Does not setting this prevent a RADIUS fail over?

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Arshad Safrulla

‎05-24-2022 06:34 AM

I am not sure tbh, as I consider this to be mandatory for my deployments just because of what it does.

radius-server dead-criteria is used to define the number of time a device sends a request to the RADIUS server when no response from the RADIUS server is received and breach the configured parameters it marks the server down, which allows the device to send the request to another server.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
marce1000
VIP
VIP

‎05-24-2022 12:13 AM

 

                     - Informational : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtl06706

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
lawrence.allhands
Level 1
Level 1

‎05-24-2022 06:00 AM

Thanks M8!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card