cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
722
Views
25
Helpful
8
Replies

WLC 9800 RADIUS failover failure

So we were upgrading our RADIUS servers and when we did we noticed that the RADIUS failover did not happen as expected. I'm thinking my predecessor has the AAA Advanced settings set up incorrectly but I am not familiar with this model controller. Can someone verify the correct settings/behavior for the "AAA Advanced" for proper RADIUS failover on a WLC 9800-80 running 17.3.5a?

 

What I have now is

 

Retransmit Count = 3

Timeout Interval (seconds) = 5

Dead Time (Minutes) = Not configured - so I assume it is default of 5 minutes.

 

unnamed.png

 

When digging in I read here (https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_aaa_dead_server_detection.html) that you can set up dead server detection criteria. So my question is, if you don't have any dead server detection criteria set up, will you ever get a failover? 

1 Accepted Solution

Accepted Solutions

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

                     - Informational : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtl06706

 M.

View solution in original post

8 Replies 8

Flavio Miranda
Advisor
Advisor

Hi

 It must use a default value. I dont believe that exist correct value for this. It will depend on your environment. Basically, if you are starting fresh, you should use Cisco recommendation.

 

 

What is the output of :

 

show run | s dead-criteria

 

sh aaa dead-criteria radius <server>

 

 

So when I #sho run | s dead-criteria shows nothing as it is not configured. The question I have is do I need to have that configured in order for RADIUS fail over to occur properly?

Arshad Safrulla
VIP Advocate VIP Advocate
VIP Advocate

For me Dead server detection works. My config is as below

aaa group server radius ISE-Corp
server name psn-002
server name psn-001
deadtime 5

!

radius server psn-001
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
timeout 5
retransmit 3
automate-tester username wlc-keepalive
key 12345

!

radius server psn-002
address ipv4 X.X.X.X auth-port 1812 acct-port 1813
timeout 5
retransmit 3
automate-tester username wlc-keepalive
key 12345

!

radius-server dead-criteria time 5 tries 3
radius-server deadtime 5

!

More on this https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=following%20GUI%20settings%3A-,RADIUS%20server%20timeout,-RADIUS%20authentication%20and

 

Thanks for sharing! That is helpful. The question I have is, do we need to set the dead-time criteria for a fail over to work? Does not setting this prevent a RADIUS fail over?

I am not sure tbh, as I consider this to be mandatory for my deployments just because of what it does.

radius-server dead-criteria is used to define the number of time a device sends a request to the RADIUS server when no response from the RADIUS server is received and breach the configured parameters it marks the server down, which allows the device to send the request to another server.

 

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

                     - Informational : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtl06706

 M.

Thanks M8!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: