02-22-2009 07:18 PM - edited 03-06-2019 04:10 AM
Do the Cisco 2950 or 2960 support multiple radius servers? In case one radius server is down, I would like to have the switch try another radius server.
I tried this:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
radius-server host 172.30.0.27 auth-port 1812 acct-port 1813
radius-server host 172.30.0.28 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key 123456
When I turned off .0.27 at 10:00 PM, no systems tried to authenticate with .0.28 the next morning. I had to turn back on the radius service on .0.27 in order for systems to connect to the network again.
Following is the Debug log:
11w2d: RADIUS: ustruct sharecount=1
11w2d: RADIUS: EAP-login: length of radius packet = 143 code = 1
11w2d: RADIUS: Initial Transmit FastEthernet0/13 id 12 172.30.0.27:1812, Access-
Request, len 143
11w2d: Attribute 4 6 AC1C003E
11w2d: Attribute 5 6 0000C35D
11w2d: Attribute 61 6 0000000F
11w2d: Attribute 1 16 7A68616E
11w2d: Attribute 30 19 30302D30
11w2d: Attribute 31 19 30302D31
11w2d: Attribute 6 6 00000002
11w2d: Attribute 12 6 000005DC
11w2d: Attribute 79 21 02000013
11w2d: Attribute 80 18 65CF0F80
11w2d: RADIUS: Retransmit id 12
11w2d: RADIUS: Retransmit id 12
11w2d: RADIUS: Retransmit id 12
11w2d: RADIUS: Marking server 172.30.0.27:1812,1813 dead
11w2d: RADIUS: Re-signed packet (key: 123456; rctx: 0x80D82308)
11w2d: RADIUS: Trying next server (172.30.0.28:1812,1813) for id12
11w2d: RADIUS: Retransmit id 12
11w2d: RADIUS: Received from id 12 172.30.0.28:1812, Access-Challenge, len 80
11w2d: Attribute 79 24 01010016
11w2d: Attribute 24 18 30336165
11w2d: Attribute 80 18 05C14D55
11w2d: RADIUS: EAP-login: length of eap packet = 22
11w2d: RADIUS: EAP-login: got challenge from radius
11w2d: RADIUS: ustruct sharecount=1
11w2d: RADIUS: EAP-login: length of radius packet = 178 code = 1
11w2d: RADIUS: Initial Transmit FastEthernet0/13 id 13 172.30.0.27:1812, Access-
Request, len 178
11w2d: Attribute 4 6 AC1C003E
11w2d: Attribute 5 6 0000C35D
11w2d: Attribute 61 6 0000000F
11w2d: Attribute 1 16 7A68616E
11w2d: Attribute 30 19 30302D30
11w2d: Attribute 31 19 30302D31
11w2d: Attribute 6 6 00000002
11w2d: Attribute 12 6 000005DC
11w2d: Attribute 24 18 30336165
11w2d: Attribute 79 38 02010024
11w2d: Attribute 80 18 D118E3CD
11w2d: RADIUS: Retransmit id 13
11w2d: RADIUS: Retransmit id 13
11w2d: RADIUS: Retransmit id 13
11w2d: RADIUS: Marking server 172.30.0.27:1812,1813 dead
11w2d: RADIUS: Re-signed packet (key: 123456; rctx: 0x80D82360)
11w2d: RADIUS: Trying next server (172.30.0.28:1812,1813) for id13
11w2d: RADIUS: Fail-over denied to (172.30.0.28:1812,1813) for id13
11w2d: RADIUS: No response for id 13
Any suggestions would be greatly appreciated.
Thanks.
02-22-2009 07:33 PM
According to the documentation, multiple RADIUS servers are supported:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_r1.html#wp1049418
I suggest removing .27 and leave .28 by itself and verify if the problem is due to having multiple RADIUS entries vs incorrect setting on the .28 server.
HTH,
__
Edison.
02-22-2009 09:20 PM
Thanks for your suggestion. I am sure the .28 server is ok, it can be work properly alone.
I will try the command : radius-server load-balance .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: