cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2128
Views
0
Helpful
13
Replies

RADIUS failover not working in wired 802.1x (CATOS switch)

dwhisinnand
Level 1
Level 1

I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?

Any help is appreciated. Here is my config:

#version 8.4(7)GLX

!

#radius

set radius server 10.30.XX.XX auth-port 1812 primary

set radius server 10.18.XX.XX auth-port 1812

set radius timeout 30

set radius key EE08361

!

Set dot1x system-auth-control enable

!

set port dot1x 5/27 port-control auto

all radius and dot1x settings are at their default values

Any takers??!

13 Replies 13

dwhisinnand
Level 1
Level 1

bump...anyone?

I have the same setup as yours. I use Steelbelt

radius 6.0.1 on Linux and I have Cisco 2960

catalyst. I use 802.1x over Ethernet with

PEAP, as seen below:

C2960#sh run int g0/23

Building configuration...

Current configuration : 133 bytes

!

interface GigabitEthernet0/23

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 668

end

C2960#

C2960#sh run | inc dot

aaa authentication dot1x default group radius

dot1x system-auth-control

dot1x guest-vlan supplicant

C2960#sh run | inc radius-

radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx

radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx

C2960#

Everything works and when I shutdown the

radius server process on host 192.168.15.10,

"sbrd stop", it still works with the secondary

radius server 10.250.97.26.

The difference between yours and mine is that

I am running IOS instead of CatOS.

System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"

David

It do not believe it works with CatOS on that rev of code on the 4000. But would recommend a TAC case, nonetheless.

Make sure the radius keep alive is enabled. This helps the switch determine if the radius server is down:

set dot1x radius-keepalive enable

Let me know how that goes

Regards,

~JG

Do rate helpful posts

Thanks, but when I tried that command and the switch does not recognize that command.

Try

"set dot1x radius-keep-alive enable"

No dice. This is message I received:

C4K> (enable) set dot1x radius-keep-alive enable

Unknown command "set dot1x radius-keep-alive". Use 'set dot1x help' for more in

o.

Here are my options:

C4K> (enable) set dot1x ?

max-req

quiet-period

re-authperiod

server-timeout

shutdown-timeout

supp-timeout

system-auth-control

tx-period

C4K> (enable) set dot1x

Please send me the output of show radius

cisco> (enable) sho radius

C4K> (enable) sh radius

RADIUS Deadtime: 0 minutes

RADIUS Key: EEXXXXX

RADIUS Retransmit: 2

RADIUS Timeout: 5 seconds

Framed-Ip Address Transmit: Disabled

RADIUS-Server Status Auth-port Acct-port

----------------------------- ------- ------------ ------------

10.30.XX.XX primary 1812 1813

10.18.XX.XX 1812 1813

Right, but it doesn't work on the 4000, since the 4000 will not make it up to this rev of code for CatOS.

Exactly. I see 8.4.11GLX as the latest version. Any other ideas? Thanks

I just wanted to follow up, as I have found the resolution. I was surpised that TAC did not have the answer either.

I entered the command:

set feature dot1x-radius-keepalive enable

Everything works great now. Thanks for the ideas.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: