02-18-2008 12:51 PM - edited 03-10-2019 03:39 PM
I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
Any help is appreciated. Here is my config:
#version 8.4(7)GLX
!
#radius
set radius server 10.30.XX.XX auth-port 1812 primary
set radius server 10.18.XX.XX auth-port 1812
set radius timeout 30
set radius key EE08361
!
Set dot1x system-auth-control enable
!
set port dot1x 5/27 port-control auto
all radius and dot1x settings are at their default values
Any takers??!
02-19-2008 01:33 PM
bump...anyone?
02-19-2008 01:59 PM
I have the same setup as yours. I use Steelbelt
radius 6.0.1 on Linux and I have Cisco 2960
catalyst. I use 802.1x over Ethernet with
PEAP, as seen below:
C2960#sh run int g0/23
Building configuration...
Current configuration : 133 bytes
!
interface GigabitEthernet0/23
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 668
end
C2960#
C2960#sh run | inc dot
aaa authentication dot1x default group radius
dot1x system-auth-control
dot1x guest-vlan supplicant
C2960#sh run | inc radius-
radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
C2960#
Everything works and when I shutdown the
radius server process on host 192.168.15.10,
"sbrd stop", it still works with the secondary
radius server 10.250.97.26.
The difference between yours and mine is that
I am running IOS instead of CatOS.
System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
David
02-19-2008 04:05 PM
It do not believe it works with CatOS on that rev of code on the 4000. But would recommend a TAC case, nonetheless.
02-20-2008 06:32 AM
Make sure the radius keep alive is enabled. This helps the switch determine if the radius server is down:
set dot1x radius-keepalive enable
Let me know how that goes
Regards,
~JG
Do rate helpful posts
02-20-2008 06:42 AM
Thanks, but when I tried that command and the switch does not recognize that command.
02-20-2008 07:13 AM
Try
"set dot1x radius-keep-alive enable"
02-20-2008 07:35 AM
No dice. This is message I received:
C4K> (enable) set dot1x radius-keep-alive enable
Unknown command "set dot1x radius-keep-alive". Use 'set dot1x help' for more in
o.
Here are my options:
C4K> (enable) set dot1x ?
max-req
quiet-period
re-authperiod
server-timeout
shutdown-timeout
supp-timeout
system-auth-control
tx-period
C4K> (enable) set dot1x
02-20-2008 07:55 AM
Please send me the output of show radius
cisco> (enable) sho radius
02-20-2008 08:04 AM
C4K> (enable) sh radius
RADIUS Deadtime: 0 minutes
RADIUS Key: EEXXXXX
RADIUS Retransmit: 2
RADIUS Timeout: 5 seconds
Framed-Ip Address Transmit: Disabled
RADIUS-Server Status Auth-port Acct-port
----------------------------- ------- ------------ ------------
10.30.XX.XX primary 1812 1813
10.18.XX.XX 1812 1813
02-20-2008 08:16 AM
Seems to be a bug,
Regards,
~JG
02-20-2008 12:38 PM
Right, but it doesn't work on the 4000, since the 4000 will not make it up to this rev of code for CatOS.
02-20-2008 12:40 PM
Exactly. I see 8.4.11GLX as the latest version. Any other ideas? Thanks
02-28-2008 09:32 AM
I just wanted to follow up, as I have found the resolution. I was surpised that TAC did not have the answer either.
I entered the command:
set feature dot1x-radius-keepalive enable
Everything works great now. Thanks for the ideas.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: