RADIUS failover not working in wired 802.1x (CATOS switch)

dwhisinnand · ‎02-18-2008

I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?

Any help is appreciated. Here is my config:

#version 8.4(7)GLX

!

#radius

set radius server 10.30.XX.XX auth-port 1812 primary

set radius server 10.18.XX.XX auth-port 1812

set radius timeout 30

set radius key EE08361

!

Set dot1x system-auth-control enable

!

set port dot1x 5/27 port-control auto

all radius and dot1x settings are at their default values

Any takers??!

dwhisinnand · ‎02-19-2008

bump...anyone?

cisco24x7 · ‎02-19-2008

I have the same setup as yours. I use Steelbelt

radius 6.0.1 on Linux and I have Cisco 2960

catalyst. I use 802.1x over Ethernet with

PEAP, as seen below:

C2960#sh run int g0/23

Building configuration...

Current configuration : 133 bytes

!

interface GigabitEthernet0/23

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x guest-vlan 668

end

C2960#

C2960#sh run | inc dot

aaa authentication dot1x default group radius

dot1x system-auth-control

dot1x guest-vlan supplicant

C2960#sh run | inc radius-

radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx

radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx

C2960#

Everything works and when I shutdown the

radius server process on host 192.168.15.10,

"sbrd stop", it still works with the secondary

radius server 10.250.97.26.

The difference between yours and mine is that

I am running IOS instead of CatOS.

System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"

David

jafrazie · ‎02-19-2008

It do not believe it works with CatOS on that rev of code on the 4000. But would recommend a TAC case, nonetheless.

Jagdeep Gambhir · ‎02-20-2008

Make sure the radius keep alive is enabled. This helps the switch determine if the radius server is down:

set dot1x radius-keepalive enable

Let me know how that goes

Regards,

~JG

Do rate helpful posts

dwhisinnand · ‎02-20-2008

Thanks, but when I tried that command and the switch does not recognize that command.

Jagdeep Gambhir · ‎02-20-2008

Try

"set dot1x radius-keep-alive enable"

dwhisinnand · ‎02-20-2008

No dice. This is message I received:

C4K> (enable) set dot1x radius-keep-alive enable

Unknown command "set dot1x radius-keep-alive". Use 'set dot1x help' for more in

o.

Here are my options:

C4K> (enable) set dot1x ?

max-req

quiet-period

re-authperiod

server-timeout

shutdown-timeout

supp-timeout

system-auth-control

tx-period

C4K> (enable) set dot1x

Jagdeep Gambhir · ‎02-20-2008

Please send me the output of show radius

cisco> (enable) sho radius

dwhisinnand · ‎02-20-2008

C4K> (enable) sh radius

RADIUS Deadtime: 0 minutes

RADIUS Key: EEXXXXX

RADIUS Retransmit: 2

RADIUS Timeout: 5 seconds

Framed-Ip Address Transmit: Disabled

RADIUS-Server Status Auth-port Acct-port

----------------------------- ------- ------------ ------------

10.30.XX.XX primary 1812 1813

10.18.XX.XX 1812 1813

Jagdeep Gambhir · ‎02-20-2008

Seems to be a bug,

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd76147

Regards,

~JG

jafrazie · ‎02-20-2008

Right, but it doesn't work on the 4000, since the 4000 will not make it up to this rev of code for CatOS.

dwhisinnand · ‎02-20-2008

Exactly. I see 8.4.11GLX as the latest version. Any other ideas? Thanks

dwhisinnand · ‎02-28-2008

I just wanted to follow up, as I have found the resolution. I was surpised that TAC did not have the answer either.

I entered the command:

set feature dot1x-radius-keepalive enable

Everything works great now. Thanks for the ideas.