[c-nsp] redundant radius server config

Dan Letkeman danletkeman at gmail.com
Mon Dec 10 13:20:00 EST 2012


Thanks, looks like the "radius-server timeout" options was what I was
missing.


On Mon, Dec 10, 2012 at 9:38 AM, Alberto Cruz <alberto.cruz at execulink.com>wrote:

> Hello Dan
>
> You need to adjust the following values:
> Router(config)# radius-server retransmit <retries>
> Specifies how many times the router transmits each RADIUS request to the
> server before giving up (the default is 3).
>
> Router(config)# radius-server timeout <seconds>
> Specifies for how many seconds a router waits for a reply to a RADIUS
> request before retransmitting the request.
>
> Router(config)# radius-server deadtime <minutes>
> Specifies for how many minutes a RADIUS server that is not responding to
> authentication requests is passed over by requests for RADIUS
> authentication.
>
> Alberto
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
> Sent: December-09-12 9:38 PM
> To: cisco-nsp
> Subject: [c-nsp] redundant radius server config
>
> Hello,
>
> Having some trouble with my redundant radius server config.  I have
> configured the switch to use two different radius servers in a group.
>
> When I shutdown one of the radius servers the switch still requests a
> connection to the down server, then times out and tries the secondary
> server, but the last message I see is "access-challenge" on the radius
> servers and it stalls there.  The only way I can get it to work again is
> wait a long time or a shut, no shut on the port.  So it seems as if the
> redundancy is working but not all of the messages are getting through, when
> it fails over to the redundant server.
>
> I'm also seeing these messages when I shut off the radius server.   Don't
> think I should be seeing the alive message when its off.
>
> Dec 10 01:38:08.246: %RADIUS-4-RADIUS_DEAD: RADIUS server
> 10.11.200.10:1812,1813
> is not responding.
> Dec 10 01:39:08.250: %RADIUS-4-RADIUS_ALIVE: RADIUS server
> 10.11.200.10:1812,1813
> is being marked alive.
>
> 3560G 15.0(1)SE3
>
> Relevant config:
>
>
> aaa group server radius gvsd_radius
>  server name radius1
>  server name radius2
> !
> aaa authentication dot1x default group gvsd_radius aaa authorization
> network default group gvsd_radius aaa accounting dot1x network start-stop
> group gvsd_radius !
> dot1x system-auth-control
> !
> interface GigabitEthernet0/16
>  switchport access vlan 1125
>  switchport mode access
>  authentication port-control auto
>  authentication periodic
>  dot1x pae authenticator
>  spanning-tree portfast
> !
> radius-server retransmit 5
> radius-server deadtime 1
> !
> radius server radius2
>  address ipv4 10.11.200.11 auth-port 1812 acct-port 1813  key cisco !
> radius server radius1
>  address ipv4 10.11.200.10 auth-port 1812 acct-port 1813  key cisco !
>
>
> Here is an example.  I had 10.11.200.10(radius1) running, authenticated
> successfully  then shut it off.  With 10.11.200.11(radius2) the only one
> running I did a shut, no shut on G0/16.
>
> logs:
>
>
>
> Dec 10 02:32:15.151: RADIUS/ENCODE(000004F2):Orig. component type = Dot1X
> Dec 10 02:32:15.151: RADIUS(000004F2): Config NAS IP: 0.0.0.0 Dec 10
> 02:32:15.151: RADIUS(000004F2): Config NAS IPv6: ::
> Dec 10 02:32:15.151: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for
> Radius-Server 10.11.200.1
> 0
> Dec 10 02:32:15.151: RADIUS(000004F2): Sending a IPv4 Radius Packet Dec 10
> 02:32:15.151: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)#
> Dec 10 02:32:17.106: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed
> state to up 802.1x(config-if)# Dec 10 02:32:19.815: RADIUS(000004F2):
> Request timed out Dec 10 02:32:19.815: RADIUS: Retransmit to (
> 10.11.200.10:1812,1813) for id
> 1645/184
> Dec 10 02:32:19.815: RADIUS(000004F2): Started 5 sec timeout
> 802.1x(config-if)# Dec 10 02:32:24.580: RADIUS(000004F2): Request timed out
> Dec 10 02:32:24.580: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id
> 1645/184
> Dec 10 02:32:24.580: RADIUS(000004F2): Started 5 sec timeout
> 802.1x(config-if)# Dec 10 02:32:29.353: RADIUS(000004F2): Request timed out
> Dec 10 02:32:29.353: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id
> 1645/184
> Dec 10 02:32:29.353: RADIUS(000004F2): Started 5 sec timeout
> 802.1x(config-if)# Dec 10 02:32:33.145: RADIUS/ENCODE(000004F2):Orig.
> component type = Dot1X Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS
> IP: 0.0.0.0 Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS IPv6: ::
> Dec 10 02:32:33.145: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for
> Radius-Server 10.11.200.10 Dec 10 02:32:33.145: RADIUS(000004F2): Sending a
> IPv4 Radius Packet Dec 10 02:32:33.145: RADIUS(000004F2): Started 5 sec
> timeout 802.1x(config-if)# Dec 10 02:32:34.319: RADIUS(000004F2): Request
> timed out Dec 10 02:32:34.319: RADIUS: Retransmit to (10.11.200.10:1812,1813)
> for id
> 1645/184
> Dec 10 02:32:34.319: RADIUS(000004F2): Started 5 sec timeout
> 802.1x(config-if)# Dec 10 02:32:38.119: RADIUS(000004F2): Request timed out
> Dec 10 02:32:38.119: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id
> 1645/185
> Dec 10 02:32:38.119: RADIUS(000004F2): Started 5 sec timeout Dec 10
> 02:32:38.656: RADIUS(000004F2): Request timed out Dec 10 02:32:38.656:
> RADIUS: Retransmit to (10.11.200.10:1812,1813) for id
> 1645/184
> Dec 10 02:32:38.656: RADIUS(000004F2): Started 5 sec timeout
> 802.1x(config-if)# Dec 10 02:32:42.758: RADIUS(000004F2): Request timed out
> Dec 10 02:32:42.767: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id
> 1645/185
> Dec 10 02:32:42.767: RADIUS(000004F2): Started 5 sec timeout Dec 10
> 02:32:43.471: RADIUS(000004F2): Request timed out Dec 10 02:32:43.471:
> RADIUS: Fail-over to (10.11.200.11:1812,1813) for id
> 1645/184
> Dec 10 02:32:43.471: RADIUS:  authenticator 77 4E 8B 50 10 D5 86 A4 - 78 32
> 47 FE 83 B0 1E BE
> Dec 10 02:32:43.471: RADIUS:  User-Name           [1]   23  "host/
> user at example.com"
> Dec 10 02:32:43.471: RADIUS:  Service-Type        [6]   6   Framed
>            [2]
> Dec 10 02:32:43.471: RADIUS:  Framed-MTU          [12]  6   1500
> Dec 10 02:32:43.471: RADIUS:  Called-Station-Id   [30]  19
>  "9C-AF-CA-F4-40-10"
> Dec 10 02:32:43.471: RADIUS:  Calling-Station-Id  [31]  19
>  "64-31-50-7D-72-DE"
> Dec 10 02:32:43.471: RADIUS:  EAP-Message         [79]  28
> Dec 10 02:32:43.471: RADIUS:   02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40
> 65 78 61 6D 70 6C  [host
> /user at exampl]
> Dec 10 02:32:43.471: RADIUS:   65 2E 63 6F 6D             [ e.com]
> Dec 10 02:32:43.471: RADIUS:  Message-Authenticato[80]  18
> Dec 10 02:32:43.471: RADIUS:   9E E2 EE 64 F7 3E 21 37 20 EB 75 10 44 82 0C
> 46          [ d>!7 uDF]
> Dec 10 02:32:43.471: RADIUS:  EAP-Key-Name        [102] 2   *
> 802.1x(config-if)#
> Dec 10 02:32:43.471: RADIUS:  NAS-Port-Type       [61]  6   Ethernet
>            [15]
> Dec 10 02:32:43.471: RADIUS:  NAS-Port            [5]   6   50016
> Dec 10 02:32:43.471: RADIUS:  NAS-Port-Id         [87]  21
>  "GigabitEthernet0/16"
> Dec 10 02:32:43.471: RADIUS:  NAS-IP-Address      [4]   6   10.11.200.73
> Dec 10 02:32:43.471: RADIUS(000004F2): Started 5 sec timeout Dec 10
> 02:32:44.478: RADIUS: Received from id 1645/184 10.11.200.11:1812,
> Access-Challenge, len 80 Dec 10 02:32:44.478: RADIUS/DECODE: EAP-Message
> fragments, 22, total 22 bytes 802.1x(config-if)# Dec 10 02:32:47.666:
> RADIUS(000004F2): Request timed out Dec 10 02:32:47.666: RADIUS: Retransmit
> to (10.11.200.10:1812,1813) for id
> 1645/185
> Dec 10 02:32:47.666: RADIUS(000004F2): Started 5 sec timeout
> 802.1x(config-if)# Dec 10 02:32:52.070: RADIUS(000004F2): Request timed out
> Dec 10 02:32:52.070: %RADIUS-4-RADIUS_DEAD: RADIUS server
> 10.11.200.10:1812,1813
> is not responding.
> Dec 10 02:32:52.070: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id
> 1645/185
> Dec 10 02:32:52.070: RADIUS:  authenticator EB 8C C4 3F 9B 64 20 D1 - 29
> 55 5C 79 37 AA F2 58
> Dec 10 02:32:52.070: RADIUS:  User-Name           [1]   23  "host/
> user at example.com"
> Dec 10 02:32:52.070: RADIUS:  Service-Type        [6]   6   Framed
>            [2]
> Dec 10 02:32:52.070: RADIUS:  Framed-MTU          [12]  6   1500
> Dec 10 02:32:52.070: RADIUS:  Called-Station-Id   [30]  19
>  "9C-AF-CA-F4-40-10"
> Dec 10 02:32:52.070: RADIUS:  Calling-Station-Id  [31]  19
>  "64-31-50-7D-72-DE"
> Dec 10 02:32:52.070: RADIUS:  EAP-Message         [79]  28
> Dec 10 02:32:52.070: RADIUS:   02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40
> 65 78 61 6D 70 6C  [host
> /user at exampl]
> Dec 10 02:32:52.070: RADIUS:   65 2E 63 6F 6D             [ e.com]
> Dec 10 02:32:52.070: RADIUS:  Message-Authenticato[80]  18
> Dec 10 02:32:52.070: RADIUS:   9D 5E 7D 18 0D 3D 42 12 B5 37 23 C8 F8 C5 51
> 31          [ ^}=B7#Q1]
> Dec 10 02:32:52.070: RADIUS:  EAP-Key-Name        [102] 2   *
> Dec 10 02:32:52.070: RADIUS:  NAS-Port-Type       [61]  6   Ethernet
>            [15]
> Dec 10 02:32:52.070: RADIUS:  NAS-Port            [5]   6   50016
> Dec 10 02:32:52.070: RADIUS:  NAS-Port-Id         [87]  21
>  "GigabitEthernet0/16"
> 802.1x(config-if)#
> Dec 10 02:32:52.070: RADIUS:  NAS-IP-Address      [4]   6   10.11.200.73
> Dec 10 02:32:52.070: RADIUS(000004F2): Started 5 sec timeout Dec 10
> 02:32:52.078: RADIUS: Received from id 1645/185 10.11.200.11:1812,
> Access-Challenge, len 80 Dec 10 02:32:52.078: RADIUS/DECODE: EAP-Message
> fragments, 22, total 22 bytes 802.1x(config-if)# Dec 10 02:33:52.074:
> %RADIUS-4-RADIUS_ALIVE: RADIUS server
> 10.11.200.10:1812,1813
> is being marked al
> ive.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list