Do the Cisco 2950 or 2960 support multiple radius servers?

Unanswered Question
Feb 22nd, 2009
User Badges:

Do the Cisco 2950 or 2960 support multiple radius servers? In case one radius server is down, I would like to have the switch try another radius server.


I tried this:


aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius-server host 172.30.0.27 auth-port 1812 acct-port 1813

radius-server host 172.30.0.28 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key 123456


When I turned off .0.27 at 10:00 PM, no systems tried to authenticate with .0.28 the next morning. I had to turn back on the radius service on .0.27 in order for systems to connect to the network again.


Following is the Debug log:


11w2d: RADIUS: ustruct sharecount=1

11w2d: RADIUS: EAP-login: length of radius packet = 143 code = 1

11w2d: RADIUS: Initial Transmit FastEthernet0/13 id 12 172.30.0.27:1812, Access-

Request, len 143

11w2d: Attribute 4 6 AC1C003E

11w2d: Attribute 5 6 0000C35D

11w2d: Attribute 61 6 0000000F

11w2d: Attribute 1 16 7A68616E

11w2d: Attribute 30 19 30302D30

11w2d: Attribute 31 19 30302D31

11w2d: Attribute 6 6 00000002

11w2d: Attribute 12 6 000005DC

11w2d: Attribute 79 21 02000013

11w2d: Attribute 80 18 65CF0F80

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Marking server 172.30.0.27:1812,1813 dead

11w2d: RADIUS: Re-signed packet (key: 123456; rctx: 0x80D82308)

11w2d: RADIUS: Trying next server (172.30.0.28:1812,1813) for id12

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Received from id 12 172.30.0.28:1812, Access-Challenge, len 80

11w2d: Attribute 79 24 01010016

11w2d: Attribute 24 18 30336165

11w2d: Attribute 80 18 05C14D55

11w2d: RADIUS: EAP-login: length of eap packet = 22

11w2d: RADIUS: EAP-login: got challenge from radius

11w2d: RADIUS: ustruct sharecount=1

11w2d: RADIUS: EAP-login: length of radius packet = 178 code = 1

11w2d: RADIUS: Initial Transmit FastEthernet0/13 id 13 172.30.0.27:1812, Access-

Request, len 178

11w2d: Attribute 4 6 AC1C003E

11w2d: Attribute 5 6 0000C35D

11w2d: Attribute 61 6 0000000F

11w2d: Attribute 1 16 7A68616E

11w2d: Attribute 30 19 30302D30

11w2d: Attribute 31 19 30302D31

11w2d: Attribute 6 6 00000002

11w2d: Attribute 12 6 000005DC

11w2d: Attribute 24 18 30336165

11w2d: Attribute 79 38 02010024

11w2d: Attribute 80 18 D118E3CD

11w2d: RADIUS: Retransmit id 13

11w2d: RADIUS: Retransmit id 13

11w2d: RADIUS: Retransmit id 13

11w2d: RADIUS: Marking server 172.30.0.27:1812,1813 dead

11w2d: RADIUS: Re-signed packet (key: 123456; rctx: 0x80D82360)

11w2d: RADIUS: Trying next server (172.30.0.28:1812,1813) for id13

11w2d: RADIUS: Fail-over denied to (172.30.0.28:1812,1813) for id13

11w2d: RADIUS: No response for id 13


Any suggestions would be greatly appreciated.

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Sun, 02/22/2009 - 19:33
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

According to the documentation, multiple RADIUS servers are supported:


http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_r1.html#wp1049418


I suggest removing .27 and leave .28 by itself and verify if the problem is due to having multiple RADIUS entries vs incorrect setting on the .28 server.


HTH,


__


Edison.

wudandong Sun, 02/22/2009 - 21:20
User Badges:

Thanks for your suggestion. I am sure the .28 server is ok, it can be work properly alone.


I will try the command : radius-server load-balance .

Actions

This Discussion