Hello Dan You need to adjust the following values: Router(config)# radius-server retransmit <retries> Specifies how many times the router transmits each RADIUS request to the server before giving up (the default is 3).
Router(config)# radius-server timeout <seconds> Specifies for how many seconds a router waits for a reply to a RADIUS request before retransmitting the request. Router(config)# radius-server deadtime <minutes> Specifies for how many minutes a RADIUS server that is not responding to authentication requests is passed over by requests for RADIUS authentication. Alberto -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dan Letkeman Sent: December-09-12 9:38 PM To: cisco-nsp Subject: [c-nsp] redundant radius server config Hello, Having some trouble with my redundant radius server config. I have configured the switch to use two different radius servers in a group. When I shutdown one of the radius servers the switch still requests a connection to the down server, then times out and tries the secondary server, but the last message I see is "access-challenge" on the radius servers and it stalls there. The only way I can get it to work again is wait a long time or a shut, no shut on the port. So it seems as if the redundancy is working but not all of the messages are getting through, when it fails over to the redundant server. I'm also seeing these messages when I shut off the radius server. Don't think I should be seeing the alive message when its off. Dec 10 01:38:08.246: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.200.10:1812,1813 is not responding. Dec 10 01:39:08.250: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.200.10:1812,1813 is being marked alive. 3560G 15.0(1)SE3 Relevant config: aaa group server radius gvsd_radius server name radius1 server name radius2 ! aaa authentication dot1x default group gvsd_radius aaa authorization network default group gvsd_radius aaa accounting dot1x network start-stop group gvsd_radius ! dot1x system-auth-control ! interface GigabitEthernet0/16 switchport access vlan 1125 switchport mode access authentication port-control auto authentication periodic dot1x pae authenticator spanning-tree portfast ! radius-server retransmit 5 radius-server deadtime 1 ! radius server radius2 address ipv4 10.11.200.11 auth-port 1812 acct-port 1813 key cisco ! radius server radius1 address ipv4 10.11.200.10 auth-port 1812 acct-port 1813 key cisco ! Here is an example. I had 10.11.200.10(radius1) running, authenticated successfully then shut it off. With 10.11.200.11(radius2) the only one running I did a shut, no shut on G0/16. logs: Dec 10 02:32:15.151: RADIUS/ENCODE(000004F2):Orig. component type = Dot1X Dec 10 02:32:15.151: RADIUS(000004F2): Config NAS IP: 0.0.0.0 Dec 10 02:32:15.151: RADIUS(000004F2): Config NAS IPv6: :: Dec 10 02:32:15.151: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for Radius-Server 10.11.200.1 0 Dec 10 02:32:15.151: RADIUS(000004F2): Sending a IPv4 Radius Packet Dec 10 02:32:15.151: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:17.106: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed state to up 802.1x(config-if)# Dec 10 02:32:19.815: RADIUS(000004F2): Request timed out Dec 10 02:32:19.815: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:19.815: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:24.580: RADIUS(000004F2): Request timed out Dec 10 02:32:24.580: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:24.580: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:29.353: RADIUS(000004F2): Request timed out Dec 10 02:32:29.353: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:29.353: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:33.145: RADIUS/ENCODE(000004F2):Orig. component type = Dot1X Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS IP: 0.0.0.0 Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS IPv6: :: Dec 10 02:32:33.145: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for Radius-Server 10.11.200.10 Dec 10 02:32:33.145: RADIUS(000004F2): Sending a IPv4 Radius Packet Dec 10 02:32:33.145: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:34.319: RADIUS(000004F2): Request timed out Dec 10 02:32:34.319: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:34.319: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:38.119: RADIUS(000004F2): Request timed out Dec 10 02:32:38.119: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185 Dec 10 02:32:38.119: RADIUS(000004F2): Started 5 sec timeout Dec 10 02:32:38.656: RADIUS(000004F2): Request timed out Dec 10 02:32:38.656: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/184 Dec 10 02:32:38.656: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:42.758: RADIUS(000004F2): Request timed out Dec 10 02:32:42.767: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185 Dec 10 02:32:42.767: RADIUS(000004F2): Started 5 sec timeout Dec 10 02:32:43.471: RADIUS(000004F2): Request timed out Dec 10 02:32:43.471: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id 1645/184 Dec 10 02:32:43.471: RADIUS: authenticator 77 4E 8B 50 10 D5 86 A4 - 78 32 47 FE 83 B0 1E BE Dec 10 02:32:43.471: RADIUS: User-Name [1] 23 "host/ [email protected]" Dec 10 02:32:43.471: RADIUS: Service-Type [6] 6 Framed [2] Dec 10 02:32:43.471: RADIUS: Framed-MTU [12] 6 1500 Dec 10 02:32:43.471: RADIUS: Called-Station-Id [30] 19 "9C-AF-CA-F4-40-10" Dec 10 02:32:43.471: RADIUS: Calling-Station-Id [31] 19 "64-31-50-7D-72-DE" Dec 10 02:32:43.471: RADIUS: EAP-Message [79] 28 Dec 10 02:32:43.471: RADIUS: 02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40 65 78 61 6D 70 6C [host /user@exampl] Dec 10 02:32:43.471: RADIUS: 65 2E 63 6F 6D [ e.com] Dec 10 02:32:43.471: RADIUS: Message-Authenticato[80] 18 Dec 10 02:32:43.471: RADIUS: 9E E2 EE 64 F7 3E 21 37 20 EB 75 10 44 82 0C 46 [ d>!7 uDF] Dec 10 02:32:43.471: RADIUS: EAP-Key-Name [102] 2 * 802.1x(config-if)# Dec 10 02:32:43.471: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Dec 10 02:32:43.471: RADIUS: NAS-Port [5] 6 50016 Dec 10 02:32:43.471: RADIUS: NAS-Port-Id [87] 21 "GigabitEthernet0/16" Dec 10 02:32:43.471: RADIUS: NAS-IP-Address [4] 6 10.11.200.73 Dec 10 02:32:43.471: RADIUS(000004F2): Started 5 sec timeout Dec 10 02:32:44.478: RADIUS: Received from id 1645/184 10.11.200.11:1812, Access-Challenge, len 80 Dec 10 02:32:44.478: RADIUS/DECODE: EAP-Message fragments, 22, total 22 bytes 802.1x(config-if)# Dec 10 02:32:47.666: RADIUS(000004F2): Request timed out Dec 10 02:32:47.666: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id 1645/185 Dec 10 02:32:47.666: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# Dec 10 02:32:52.070: RADIUS(000004F2): Request timed out Dec 10 02:32:52.070: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.200.10:1812,1813 is not responding. Dec 10 02:32:52.070: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id 1645/185 Dec 10 02:32:52.070: RADIUS: authenticator EB 8C C4 3F 9B 64 20 D1 - 29 55 5C 79 37 AA F2 58 Dec 10 02:32:52.070: RADIUS: User-Name [1] 23 "host/ [email protected]" Dec 10 02:32:52.070: RADIUS: Service-Type [6] 6 Framed [2] Dec 10 02:32:52.070: RADIUS: Framed-MTU [12] 6 1500 Dec 10 02:32:52.070: RADIUS: Called-Station-Id [30] 19 "9C-AF-CA-F4-40-10" Dec 10 02:32:52.070: RADIUS: Calling-Station-Id [31] 19 "64-31-50-7D-72-DE" Dec 10 02:32:52.070: RADIUS: EAP-Message [79] 28 Dec 10 02:32:52.070: RADIUS: 02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40 65 78 61 6D 70 6C [host /user@exampl] Dec 10 02:32:52.070: RADIUS: 65 2E 63 6F 6D [ e.com] Dec 10 02:32:52.070: RADIUS: Message-Authenticato[80] 18 Dec 10 02:32:52.070: RADIUS: 9D 5E 7D 18 0D 3D 42 12 B5 37 23 C8 F8 C5 51 31 [ ^}=B7#Q1] Dec 10 02:32:52.070: RADIUS: EAP-Key-Name [102] 2 * Dec 10 02:32:52.070: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Dec 10 02:32:52.070: RADIUS: NAS-Port [5] 6 50016 Dec 10 02:32:52.070: RADIUS: NAS-Port-Id [87] 21 "GigabitEthernet0/16" 802.1x(config-if)# Dec 10 02:32:52.070: RADIUS: NAS-IP-Address [4] 6 10.11.200.73 Dec 10 02:32:52.070: RADIUS(000004F2): Started 5 sec timeout Dec 10 02:32:52.078: RADIUS: Received from id 1645/185 10.11.200.11:1812, Access-Challenge, len 80 Dec 10 02:32:52.078: RADIUS/DECODE: EAP-Message fragments, 22, total 22 bytes 802.1x(config-if)# Dec 10 02:33:52.074: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.200.10:1812,1813 is being marked al ive. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
