RADIUS failover not working in wired 802.1x (CATOS switch)

Unanswered Question
Feb 18th, 2008
User Badges:

I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?


Any help is appreciated. Here is my config:


#version 8.4(7)GLX

!

#radius

set radius server 10.30.XX.XX auth-port 1812 primary

set radius server 10.18.XX.XX auth-port 1812

set radius timeout 30

set radius key EE08361

!

Set dot1x system-auth-control enable

!

set port dot1x 5/27 port-control auto


all radius and dot1x settings are at their default values


Any takers??!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Tue, 02/19/2008 - 13:59
User Badges:
  • Silver, 250 points or more

I have the same setup as yours. I use Steelbelt

radius 6.0.1 on Linux and I have Cisco 2960

catalyst. I use 802.1x over Ethernet with

PEAP, as seen below:


C2960#sh run int g0/23

Building configuration...


Current configuration : 133 bytes

!

interface GigabitEthernet0/23

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 668

end


C2960#

C2960#sh run | inc dot

aaa authentication dot1x default group radius

dot1x system-auth-control

dot1x guest-vlan supplicant

C2960#sh run | inc radius-

radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx

radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx

C2960#


Everything works and when I shutdown the

radius server process on host 192.168.15.10,

"sbrd stop", it still works with the secondary

radius server 10.250.97.26.


The difference between yours and mine is that

I am running IOS instead of CatOS.


System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"



David



jafrazie Tue, 02/19/2008 - 16:05
User Badges:
  • Cisco Employee,

It do not believe it works with CatOS on that rev of code on the 4000. But would recommend a TAC case, nonetheless.

Jagdeep Gambhir Wed, 02/20/2008 - 06:32
User Badges:
  • Red, 2250 points or more

Make sure the radius keep alive is enabled. This helps the switch determine if the radius server is down:


set dot1x radius-keepalive enable


Let me know how that goes


Regards,

~JG


Do rate helpful posts

dwhisinnand Wed, 02/20/2008 - 06:42
User Badges:

Thanks, but when I tried that command and the switch does not recognize that command.

dwhisinnand Wed, 02/20/2008 - 07:35
User Badges:

No dice. This is message I received:


C4K> (enable) set dot1x radius-keep-alive enable

Unknown command "set dot1x radius-keep-alive". Use 'set dot1x help' for more in

o.


Here are my options:


C4K> (enable) set dot1x ?

max-req

quiet-period

re-authperiod

server-timeout

shutdown-timeout

supp-timeout

system-auth-control

tx-period

C4K> (enable) set dot1x

Jagdeep Gambhir Wed, 02/20/2008 - 07:55
User Badges:
  • Red, 2250 points or more

Please send me the output of show radius


cisco> (enable) sho radius

dwhisinnand Wed, 02/20/2008 - 08:04
User Badges:

C4K> (enable) sh radius

RADIUS Deadtime: 0 minutes

RADIUS Key: EEXXXXX

RADIUS Retransmit: 2

RADIUS Timeout: 5 seconds

Framed-Ip Address Transmit: Disabled


RADIUS-Server Status Auth-port Acct-port

----------------------------- ------- ------------ ------------

10.30.XX.XX primary 1812 1813

10.18.XX.XX 1812 1813

jafrazie Wed, 02/20/2008 - 12:38
User Badges:
  • Cisco Employee,

Right, but it doesn't work on the 4000, since the 4000 will not make it up to this rev of code for CatOS.

dwhisinnand Wed, 02/20/2008 - 12:40
User Badges:

Exactly. I see 8.4.11GLX as the latest version. Any other ideas? Thanks

dwhisinnand Thu, 02/28/2008 - 09:32
User Badges:

I just wanted to follow up, as I have found the resolution. I was surpised that TAC did not have the answer either.


I entered the command:

set feature dot1x-radius-keepalive enable


Everything works great now. Thanks for the ideas.

Actions

This Discussion