Thanks, looks like the "radius-server timeout" options was what I was missing.
On Mon, Dec 10, 2012 at 9:38 AM, Alberto Cruz <[email protected]>wrote: > Hello Dan > > You need to adjust the following values: > Router(config)# radius-server retransmit <retries> > Specifies how many times the router transmits each RADIUS request to the > server before giving up (the default is 3). > > Router(config)# radius-server timeout <seconds> > Specifies for how many seconds a router waits for a reply to a RADIUS > request before retransmitting the request. > > Router(config)# radius-server deadtime <minutes> > Specifies for how many minutes a RADIUS server that is not responding to > authentication requests is passed over by requests for RADIUS > authentication. > > Alberto > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Dan Letkeman > Sent: December-09-12 9:38 PM > To: cisco-nsp > Subject: [c-nsp] redundant radius server config > > Hello, > > Having some trouble with my redundant radius server config. I have > configured the switch to use two different radius servers in a group. > > When I shutdown one of the radius servers the switch still requests a > connection to the down server, then times out and tries the secondary > server, but the last message I see is "access-challenge" on the radius > servers and it stalls there. The only way I can get it to work again is > wait a long time or a shut, no shut on the port. So it seems as if the > redundancy is working but not all of the messages are getting through, when > it fails over to the redundant server. > > I'm also seeing these messages when I shut off the radius server. Don't > think I should be seeing the alive message when its off. > > Dec 10 01:38:08.246: %RADIUS-4-RADIUS_DEAD: RADIUS server > 10.11.200.10:1812,1813 > is not responding. > Dec 10 01:39:08.250: %RADIUS-4-RADIUS_ALIVE: RADIUS server > 10.11.200.10:1812,1813 > is being marked alive. > > 3560G 15.0(1)SE3 > > Relevant config: > > > aaa group server radius gvsd_radius > server name radius1 > server name radius2 > ! > aaa authentication dot1x default group gvsd_radius aaa authorization > network default group gvsd_radius aaa accounting dot1x network start-stop > group gvsd_radius ! > dot1x system-auth-control > ! > interface GigabitEthernet0/16 > switchport access vlan 1125 > switchport mode access > authentication port-control auto > authentication periodic > dot1x pae authenticator > spanning-tree portfast > ! > radius-server retransmit 5 > radius-server deadtime 1 > ! > radius server radius2 > address ipv4 10.11.200.11 auth-port 1812 acct-port 1813 key cisco ! > radius server radius1 > address ipv4 10.11.200.10 auth-port 1812 acct-port 1813 key cisco ! > > > Here is an example. I had 10.11.200.10(radius1) running, authenticated > successfully then shut it off. With 10.11.200.11(radius2) the only one > running I did a shut, no shut on G0/16. > > logs: > > > > Dec 10 02:32:15.151: RADIUS/ENCODE(000004F2):Orig. component type = Dot1X > Dec 10 02:32:15.151: RADIUS(000004F2): Config NAS IP: 0.0.0.0 Dec 10 > 02:32:15.151: RADIUS(000004F2): Config NAS IPv6: :: > Dec 10 02:32:15.151: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for > Radius-Server 10.11.200.1 > 0 > Dec 10 02:32:15.151: RADIUS(000004F2): Sending a IPv4 Radius Packet Dec 10 > 02:32:15.151: RADIUS(000004F2): Started 5 sec timeout 802.1x(config-if)# > Dec 10 02:32:17.106: %LINK-3-UPDOWN: Interface GigabitEthernet0/16, changed > state to up 802.1x(config-if)# Dec 10 02:32:19.815: RADIUS(000004F2): > Request timed out Dec 10 02:32:19.815: RADIUS: Retransmit to ( > 10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:19.815: RADIUS(000004F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:24.580: RADIUS(000004F2): Request timed out > Dec 10 02:32:24.580: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:24.580: RADIUS(000004F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:29.353: RADIUS(000004F2): Request timed out > Dec 10 02:32:29.353: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:29.353: RADIUS(000004F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:33.145: RADIUS/ENCODE(000004F2):Orig. > component type = Dot1X Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS > IP: 0.0.0.0 Dec 10 02:32:33.145: RADIUS(000004F2): Config NAS IPv6: :: > Dec 10 02:32:33.145: RADIUS/ENCODE: Best Local IP-Address 10.11.200.73 for > Radius-Server 10.11.200.10 Dec 10 02:32:33.145: RADIUS(000004F2): Sending a > IPv4 Radius Packet Dec 10 02:32:33.145: RADIUS(000004F2): Started 5 sec > timeout 802.1x(config-if)# Dec 10 02:32:34.319: RADIUS(000004F2): Request > timed out Dec 10 02:32:34.319: RADIUS: Retransmit to (10.11.200.10:1812,1813) > for id > 1645/184 > Dec 10 02:32:34.319: RADIUS(000004F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:38.119: RADIUS(000004F2): Request timed out > Dec 10 02:32:38.119: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/185 > Dec 10 02:32:38.119: RADIUS(000004F2): Started 5 sec timeout Dec 10 > 02:32:38.656: RADIUS(000004F2): Request timed out Dec 10 02:32:38.656: > RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/184 > Dec 10 02:32:38.656: RADIUS(000004F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:42.758: RADIUS(000004F2): Request timed out > Dec 10 02:32:42.767: RADIUS: Retransmit to (10.11.200.10:1812,1813) for id > 1645/185 > Dec 10 02:32:42.767: RADIUS(000004F2): Started 5 sec timeout Dec 10 > 02:32:43.471: RADIUS(000004F2): Request timed out Dec 10 02:32:43.471: > RADIUS: Fail-over to (10.11.200.11:1812,1813) for id > 1645/184 > Dec 10 02:32:43.471: RADIUS: authenticator 77 4E 8B 50 10 D5 86 A4 - 78 32 > 47 FE 83 B0 1E BE > Dec 10 02:32:43.471: RADIUS: User-Name [1] 23 "host/ > [email protected]" > Dec 10 02:32:43.471: RADIUS: Service-Type [6] 6 Framed > [2] > Dec 10 02:32:43.471: RADIUS: Framed-MTU [12] 6 1500 > Dec 10 02:32:43.471: RADIUS: Called-Station-Id [30] 19 > "9C-AF-CA-F4-40-10" > Dec 10 02:32:43.471: RADIUS: Calling-Station-Id [31] 19 > "64-31-50-7D-72-DE" > Dec 10 02:32:43.471: RADIUS: EAP-Message [79] 28 > Dec 10 02:32:43.471: RADIUS: 02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40 > 65 78 61 6D 70 6C [host > /user@exampl] > Dec 10 02:32:43.471: RADIUS: 65 2E 63 6F 6D [ e.com] > Dec 10 02:32:43.471: RADIUS: Message-Authenticato[80] 18 > Dec 10 02:32:43.471: RADIUS: 9E E2 EE 64 F7 3E 21 37 20 EB 75 10 44 82 0C > 46 [ d>!7 uDF] > Dec 10 02:32:43.471: RADIUS: EAP-Key-Name [102] 2 * > 802.1x(config-if)# > Dec 10 02:32:43.471: RADIUS: NAS-Port-Type [61] 6 Ethernet > [15] > Dec 10 02:32:43.471: RADIUS: NAS-Port [5] 6 50016 > Dec 10 02:32:43.471: RADIUS: NAS-Port-Id [87] 21 > "GigabitEthernet0/16" > Dec 10 02:32:43.471: RADIUS: NAS-IP-Address [4] 6 10.11.200.73 > Dec 10 02:32:43.471: RADIUS(000004F2): Started 5 sec timeout Dec 10 > 02:32:44.478: RADIUS: Received from id 1645/184 10.11.200.11:1812, > Access-Challenge, len 80 Dec 10 02:32:44.478: RADIUS/DECODE: EAP-Message > fragments, 22, total 22 bytes 802.1x(config-if)# Dec 10 02:32:47.666: > RADIUS(000004F2): Request timed out Dec 10 02:32:47.666: RADIUS: Retransmit > to (10.11.200.10:1812,1813) for id > 1645/185 > Dec 10 02:32:47.666: RADIUS(000004F2): Started 5 sec timeout > 802.1x(config-if)# Dec 10 02:32:52.070: RADIUS(000004F2): Request timed out > Dec 10 02:32:52.070: %RADIUS-4-RADIUS_DEAD: RADIUS server > 10.11.200.10:1812,1813 > is not responding. > Dec 10 02:32:52.070: RADIUS: Fail-over to (10.11.200.11:1812,1813) for id > 1645/185 > Dec 10 02:32:52.070: RADIUS: authenticator EB 8C C4 3F 9B 64 20 D1 - 29 > 55 5C 79 37 AA F2 58 > Dec 10 02:32:52.070: RADIUS: User-Name [1] 23 "host/ > [email protected]" > Dec 10 02:32:52.070: RADIUS: Service-Type [6] 6 Framed > [2] > Dec 10 02:32:52.070: RADIUS: Framed-MTU [12] 6 1500 > Dec 10 02:32:52.070: RADIUS: Called-Station-Id [30] 19 > "9C-AF-CA-F4-40-10" > Dec 10 02:32:52.070: RADIUS: Calling-Station-Id [31] 19 > "64-31-50-7D-72-DE" > Dec 10 02:32:52.070: RADIUS: EAP-Message [79] 28 > Dec 10 02:32:52.070: RADIUS: 02 01 00 1A 01 68 6F 73 74 2F 75 73 65 72 40 > 65 78 61 6D 70 6C [host > /user@exampl] > Dec 10 02:32:52.070: RADIUS: 65 2E 63 6F 6D [ e.com] > Dec 10 02:32:52.070: RADIUS: Message-Authenticato[80] 18 > Dec 10 02:32:52.070: RADIUS: 9D 5E 7D 18 0D 3D 42 12 B5 37 23 C8 F8 C5 51 > 31 [ ^}=B7#Q1] > Dec 10 02:32:52.070: RADIUS: EAP-Key-Name [102] 2 * > Dec 10 02:32:52.070: RADIUS: NAS-Port-Type [61] 6 Ethernet > [15] > Dec 10 02:32:52.070: RADIUS: NAS-Port [5] 6 50016 > Dec 10 02:32:52.070: RADIUS: NAS-Port-Id [87] 21 > "GigabitEthernet0/16" > 802.1x(config-if)# > Dec 10 02:32:52.070: RADIUS: NAS-IP-Address [4] 6 10.11.200.73 > Dec 10 02:32:52.070: RADIUS(000004F2): Started 5 sec timeout Dec 10 > 02:32:52.078: RADIUS: Received from id 1645/185 10.11.200.11:1812, > Access-Challenge, len 80 Dec 10 02:32:52.078: RADIUS/DECODE: EAP-Message > fragments, 22, total 22 bytes 802.1x(config-if)# Dec 10 02:33:52.074: > %RADIUS-4-RADIUS_ALIVE: RADIUS server > 10.11.200.10:1812,1813 > is being marked al > ive. > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
