[c-nsp] Backup radius server doesn't work.
Sergey Velikanov [Intelsoft]
sv at intelsoft.com
Thu Jun 29 07:27:02 EDT 2006
I'am trying backup primary radius server with local radius server on aironet 1300
my config is:
aaa group server radius rad_eap <----- primary
server 192.168.232.254 auth-port 1645 acct-port 1646
aaa group server radius rad_eap_local <------local
server 192.168.232.3 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap group rad_eap_local
interface BVI1
ip address 192.168.232.3 255.255.255.0
no ip route-cache
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.232.3 key 7 08351D
user tess nthash 7 0756781A1D5B415043412D2D54087A7C0E666D724B554227580F0F7D71012F273B
If primary server available this forks fine, if I turn off primary server then local server can't
authenticate user (but if I leave only local radius server in eap_methods it also work fine
I do it with command "aaa authentication login eap_methods group rad_eap_local")
Why it doesn't work if primary server is down?
This debug log:
Jun 29 10:58:36.603: RADIUS/ENCODE(0000014C):Orig. component type = DOT11
Jun 29 10:58:36.603: RADIUS(0000014C): Storing nasport 585 in rad_db
Jun 29 10:58:36.603: RADIUS(0000014C): Config NAS IP: 192.168.232.3
Jun 29 10:58:36.603: RADIUS/ENCODE(0000014C): acct_session_id: 332
Jun 29 10:58:36.603: RADIUS(0000014C): Config NAS IP: 192.168.232.3
Jun 29 10:58:36.603: RADIUS(0000014C): sending
Jun 29 10:58:36.604: RADIUS(0000014C): Send Access-Request to 192.168.232.254:1645 id 1645/10, len 173
Jun 29 10:58:36.604: RADIUS: authenticator 97 F2 CE FF 87 98 4A 96 - 71 52 12 B0 D8 77 6F 37
Jun 29 10:58:36.604: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:58:36.604: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:58:36.604: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:58:36.604: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:58:36.605: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:58:36.605: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:58:36.605: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:58:36.605: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:58:36.605: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:58:36.605: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:58:36.605: RADIUS: EAP-Message [79] 11
Jun 29 10:58:36.605: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:58:36.606: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 29 10:58:36.606: RADIUS: Vendor, Cisco [26] 11
Jun 29 10:58:36.606: RADIUS: cisco-nas-port [2] 5 "585"
Jun 29 10:58:36.606: RADIUS: NAS-Port [5] 6 585
Jun 29 10:58:36.606: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:58:36.606: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:58:41.940: RADIUS: no sg in radius-timers: ctx 0xA451F8 sg 0x0000
Jun 29 10:58:41.940: RADIUS: Retransmit to (192.168.232.254:1645,1646) for id 1645/10
Jun 29 10:58:41.940: RADIUS: authenticator 97 F2 CE FF 87 98 4A 96 - 71 52 12 B0 D8 77 6F 37
Jun 29 10:58:41.940: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:58:41.940: RADIUS: ............. skip ..................
Jun 29 10:58:47.220: RADIUS: no sg in radius-timers: ctx 0xA451F8 sg 0x0000
Jun 29 10:58:47.220: RADIUS: Retransmit to (192.168.232.254:1645,1646) for id 1645/10
Jun 29 10:58:47.220: RADIUS: authenticator 97 F2 CE FF 87 98 4A 96 - 71 52 12 B0 D8 77 6F 37
Jun 29 10:58:47.220: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:58:41.940: RADIUS: ............. skip ..................
Jun 29 10:58:52.756: RADIUS: no sg in radius-timers: ctx 0xA451F8 sg 0x0000
Jun 29 10:58:52.756: RADIUS: Retransmit to (192.168.232.254:1645,1646) for id 1645/10
Jun 29 10:58:52.756: RADIUS: authenticator 97 F2 CE FF 87 98 4A 96 - 71 52 12 B0 D8 77 6F 37
Jun 29 10:58:52.756: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:58:41.940: RADIUS: ............. skip ..................
Jun 29 10:58:57.415: RADIUS/ENCODE(0000014D):Orig. component type = DOT11
Jun 29 10:58:57.415: RADIUS(0000014D): Storing nasport 586 in rad_db
Jun 29 10:58:57.415: RADIUS(0000014D): Config NAS IP: 192.168.232.3
Jun 29 10:58:57.415: RADIUS/ENCODE(0000014D): acct_session_id: 333
Jun 29 10:58:57.416: RADIUS(0000014D): Config NAS IP: 192.168.232.3
Jun 29 10:58:57.416: RADIUS(0000014D): sending
Jun 29 10:58:57.416: RADIUS(0000014D): Send Access-Request to 192.168.232.254:1645 id 1645/11, len 173
Jun 29 10:58:57.416: RADIUS: authenticator C2 66 D7 67 8B C6 DF 32 - 30 20 E8 40 69 9F 4E 08
Jun 29 10:58:57.416: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:58:57.417: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:58:57.417: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:58:57.417: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:58:57.417: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:58:57.417: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:58:57.417: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:58:57.417: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:58:57.417: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:58:57.417: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:58:57.418: RADIUS: EAP-Message [79] 11
Jun 29 10:58:57.418: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:58:57.418: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 29 10:58:57.418: RADIUS: Vendor, Cisco [26] 11
Jun 29 10:58:57.418: RADIUS: cisco-nas-port [2] 5 "586"
Jun 29 10:58:57.418: RADIUS: NAS-Port [5] 6 586
Jun 29 10:58:57.418: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:58:57.418: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:58:58.386: RADIUS: no sg in radius-timers: ctx 0xA451F8 sg 0x0000
Jun 29 10:58:58.386: RADIUS: No response from (192.168.232.254:1645,1646) for id 1645/10
Jun 29 10:58:58.386: RADIUS/DECODE: parse response no app start; FAIL
Jun 29 10:58:58.386: RADIUS/DECODE: parse response; FAIL
Jun 29 10:58:58.386: RADIUS/ENCODE(0000014C):Orig. component type = INVALID
Jun 29 10:58:58.387: RADIUS(0000014C): Config NAS IP: 192.168.232.3
Jun 29 10:58:58.387: RADIUS(0000014C): Config NAS IP: 192.168.232.3
Jun 29 10:58:58.387: RADIUS(0000014C): sending
Jun 29 10:58:58.387: RADIUS(0000014C): Send Access-Request to 192.168.232.3:1812 id 1645/12, len 150
Jun 29 10:58:58.387: RADIUS: authenticator CC 52 2D 40 84 80 8D 29 - 98 82 0B 81 14 64 E3 AE
Jun 29 10:58:58.387: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:58:58.388: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:58:58.388: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:58:58.388: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:58:58.388: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:58:58.388: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:58:58.388: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:58:58.388: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:58:58.388: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:58:58.388: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:58:58.389: RADIUS: EAP-Message [79] 11
Jun 29 10:58:58.389: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:58:58.389: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:58:58.389: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:58:58.390: RADIUS: Received from id 1645/12 192.168.232.3:1812, Access-Challenge, len 116
Jun 29 10:58:58.390: RADIUS: authenticator 58 F8 9E 87 0F 51 67 20 - C9 FC DE EE 4D 54 61 94
Jun 29 10:58:58.391: RADIUS: EAP-Message [79] 22
Jun 29 10:58:58.391: RADIUS: 01 2A 00 14 11 01 00 08 E6 89 92 C9 BE FE EB 17 [?*??????????????]
Jun 29 10:58:58.391: RADIUS: 74 65 73 73 [tess]
Jun 29 10:58:58.391: RADIUS: Session-Timeout [27] 6 10
Jun 29 10:58:58.391: RADIUS: State [24] 50
Jun 29 10:58:58.392: RADIUS: E6 89 92 C9 BE FE EB 17 00 00 00 00 00 00 00 00 [????????????????]
Jun 29 10:58:58.392: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [????????????????]
Jun 29 10:58:58.392: RADIUS: 31 6E 49 83 C2 B0 7A 69 75 B1 B2 56 EC 4E 84 46 [1nI???ziu??V?N?F]
Jun 29 10:58:58.392: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:58:58.393: RADIUS(0000014C): Received from id 1645/12
Jun 29 10:58:58.393: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes
> What does "Unique id not in use" mean?
Jun 29 10:58:58.393: RADIUS(0000014C): Unique id not in use
Jun 29 10:58:58.393: RADIUS/DECODE(0000014C): There is no RADIUS DB Some Radius attributes may not be stored
Jun 29 10:59:02.514: RADIUS: no sg in radius-timers: ctx 0xD526BC sg 0x0000
Jun 29 10:59:02.514: RADIUS: Retransmit to (192.168.232.254:1645,1646) for id 1645/11
Jun 29 10:59:02.514: RADIUS: authenticator C2 66 D7 67 8B C6 DF 32 - 30 20 E8 40 69 9F 4E 08
Jun 29 10:59:02.514: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:59:02.514: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:59:02.514: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:59:02.514: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:59:02.515: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:59:02.515: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:59:02.515: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:59:02.515: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:59:02.515: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:59:02.515: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:59:02.515: RADIUS: EAP-Message [79] 11
Jun 29 10:59:02.515: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:59:02.516: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 29 10:59:02.516: RADIUS: Vendor, Cisco [26] 11
Jun 29 10:59:02.516: RADIUS: cisco-nas-port [2] 5 "586"
Jun 29 10:59:02.516: RADIUS: NAS-Port [5] 6 586
Jun 29 10:59:02.516: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:59:02.516: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:59:07.823: RADIUS: no sg in radius-timers: ctx 0xD526BC sg 0x0000
Jun 29 10:59:07.823: RADIUS: Retransmit to (192.168.232.254:1645,1646) for id 1645/11
Jun 29 10:59:07.823: RADIUS: authenticator C2 66 D7 67 8B C6 DF 32 - 30 20 E8 40 69 9F 4E 08
Jun 29 10:59:07.824: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:59:07.824: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:59:07.824: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:59:07.824: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:59:07.824: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:59:07.824: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:59:07.824: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:59:07.824: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:59:07.824: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:59:07.825: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:59:07.825: RADIUS: EAP-Message [79] 11
Jun 29 10:59:07.825: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:59:07.825: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 29 10:59:07.825: RADIUS: Vendor, Cisco [26] 11
Jun 29 10:59:07.825: RADIUS: cisco-nas-port [2] 5 "586"
Jun 29 10:59:07.825: RADIUS: NAS-Port [5] 6 586
Jun 29 10:59:07.825: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:59:07.826: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:59:13.519: RADIUS: no sg in radius-timers: ctx 0xD526BC sg 0x0000
Jun 29 10:59:13.519: RADIUS: Retransmit to (192.168.232.254:1645,1646) for id 1645/11
Jun 29 10:59:13.519: RADIUS: authenticator C2 66 D7 67 8B C6 DF 32 - 30 20 E8 40 69 9F 4E 08
Jun 29 10:59:13.520: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:59:13.520: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:59:13.520: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:59:13.520: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:59:13.520: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:59:13.520: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:59:13.520: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:59:13.520: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:59:13.520: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:59:13.521: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:59:13.521: RADIUS: EAP-Message [79] 11
Jun 29 10:59:13.521: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:59:13.521: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 29 10:59:13.521: RADIUS: Vendor, Cisco [26] 11
Jun 29 10:59:13.521: RADIUS: cisco-nas-port [2] 5 "586"
Jun 29 10:59:13.521: RADIUS: NAS-Port [5] 6 586
Jun 29 10:59:13.521: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:59:13.522: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:59:18.573: RADIUS: no sg in radius-timers: ctx 0xD526BC sg 0x0000
Jun 29 10:59:18.573: RADIUS: No response from (192.168.232.254:1645,1646) for id 1645/11
Why it FAIL it should be ERROR ?
Jun 29 10:59:18.573: RADIUS/DECODE: parse response no app start; FAIL
Jun 29 10:59:18.573: RADIUS/DECODE: parse response; FAIL
Jun 29 10:59:18.573: RADIUS/ENCODE(0000014D):Orig. component type = DOT11
Jun 29 10:59:18.574: RADIUS(0000014D): Using existing nas_port 586
Jun 29 10:59:18.574: RADIUS(0000014D): Config NAS IP: 192.168.232.3
Jun 29 10:59:18.574: RADIUS/ENCODE(0000014D): acct_session_id: 333
Jun 29 10:59:18.574: RADIUS(0000014D): Config NAS IP: 192.168.232.3
Jun 29 10:59:18.574: RADIUS(0000014D): sending
Jun 29 10:59:18.574: RADIUS(0000014D): Send Access-Request to 192.168.232.3:1812 id 1645/13, len 173
Jun 29 10:59:18.575: RADIUS: authenticator 1B B7 D6 8A B9 D5 13 0D - 3E F9 56 78 D7 46 87 18
Jun 29 10:59:18.575: RADIUS: User-Name [1] 6 "tess"
Jun 29 10:59:18.575: RADIUS: Framed-MTU [12] 6 1400
Jun 29 10:59:18.575: RADIUS: Called-Station-Id [30] 16 "0013.1a4b.ae50"
Jun 29 10:59:18.575: RADIUS: Calling-Station-Id [31] 16 "0017.0e91.fbc0"
Jun 29 10:59:18.575: RADIUS: Vendor, Cisco [26] 18
Jun 29 10:59:18.575: RADIUS: Cisco AVpair [1] 12 "ssid=is_ap"
Jun 29 10:59:18.575: RADIUS: Vendor, WISPr [26] 18
Jun 29 10:59:18.575: RADIUS: WISPr VSA [2] 12 "Office 723"
Jun 29 10:59:18.576: RADIUS: Service-Type [6] 6 Login [1]
Jun 29 10:59:18.576: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:59:18.576: RADIUS: EAP-Message [79] 11
Jun 29 10:59:18.576: RADIUS: 02 02 00 09 01 74 65 73 73 [?????tess]
Jun 29 10:59:18.576: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jun 29 10:59:18.576: RADIUS: Vendor, Cisco [26] 11
Jun 29 10:59:18.576: RADIUS: cisco-nas-port [2] 5 "586"
Jun 29 10:59:18.576: RADIUS: NAS-Port [5] 6 586
Jun 29 10:59:18.576: RADIUS: NAS-IP-Address [4] 6 192.168.232.3
Jun 29 10:59:18.576: RADIUS: Nas-Identifier [32] 9 "aoffice"
Jun 29 10:59:18.577: RADIUS: Received from id 1645/13 192.168.232.3:1812, Access-Challenge, len 116
Jun 29 10:59:18.578: RADIUS: authenticator 3A 53 68 18 D0 6A 70 70 - 77 AC 46 AE BD 4F C5 9F
Jun 29 10:59:18.578: RADIUS: EAP-Message [79] 22
Jun 29 10:59:18.578: RADIUS: 01 2B 00 14 11 01 00 08 0C E8 C1 C4 63 0F 49 52 [?+??????????c?IR]
Jun 29 10:59:18.578: RADIUS: 74 65 73 73 [tess]
Jun 29 10:59:18.578: RADIUS: Session-Timeout [27] 6 10
Jun 29 10:59:18.578: RADIUS: State [24] 50
Jun 29 10:59:18.579: RADIUS: 0C E8 C1 C4 63 0F 49 52 00 00 00 00 00 00 00 00 [????c?IR????????]
Jun 29 10:59:18.579: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [????????????????]
Jun 29 10:59:18.579: RADIUS: BE A8 07 0E DA 86 C4 80 34 E1 65 1D 5F DE B9 F9 [????????4?e?_???]
Jun 29 10:59:18.579: RADIUS: Message-Authenticato[80] 18 *
Jun 29 10:59:18.580: RADIUS(0000014D): Received from id 1645/13
Jun 29 10:59:18.580: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes
Jun 29 10:59:18.745: %DOT11-4-MAXRETRIES: Packet to client 0017.0e91.fbc0 reached max retries, removing the client
Jun 29 10:59:18.745: Client 0017.0e91.fbc0 failed: reached maximum retries
More information about the cisco-nsp
mailing list