redundant ACS servers.

Unanswered Question
Mar 29th, 2010
User Badges:

I'm trying to configure redundant acs servers in my lab. What interface commands are needed to make this happen. I have both the servers in globally on the switch and I when I block the connection that it authenticates to first and tell the port to re-authenticate the switch tries the next server but the port is marked as unauthorized and the host fails authentication. I can authenticate to either server one by one but not in a failover situation. below i have my port config. I believe im missing something in my port config. Thanks for any help.

dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 20
dot1x timeout reauth-period 3600
dot1x timeout tx-period 10
dot1x reauthentication
dot1x auth-fail max-attempts 1
dot1x control-direction both
dot1x mac-auth-bypass

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Javier Henderson Mon, 03/29/2010 - 08:37
User Badges:
  • Cisco Employee,

You would define multiple RADIUS servers in the switch configuration, then point the authentication and authorization methods to them, the switch should try them in the order in which they appear, rolling over to the next one if the first one does not reply within the timeout period.

Kevin Steele Mon, 03/29/2010 - 10:40
User Badges:

I have both acs servers defined. When the switch rolls to the second server I get Authen session timed out: Challenge not provided by client as the failure code in acs.

Vivek Venugopal Thu, 10/07/2010 - 14:59
User Badges:

Were you able to resolve the issue? I am having a similar issue with a PIX and 2 ACS servers running, both on Windows 2003 servers. My error when switching to the second ACS is "ACS password invalid".


This Discussion