As per the AAA fail policy or Inaccessible Authentication Bypass, switches will detect AAA server unreachability and allow access to the hosts to critical ports. Cisco documentation says one can configure the 'radius-server dead-criteria' and 'radius-server deadtime' to decide when a RADIUS server is considered unreachable. However, my observation is different.
Timeouts under radius server host configuration takes priority over the dead-criteria. If this is expected, I believe the documentation should be corrected or at the least mention this. If not, I would like to understand how the following timers affect the AAA fail policy functionality. The documentation doesn't seem to be very clear on this.
1) radius server ABC
2) radius-server dead-criteria time t2 tries n2
3) port specific -
dot1x timeout server-timeout t3
For my testing I used
t1 = 60s, n1 = 5
t2 = 3s, n2 = 3
t3 = 100s
I understand these timers aren't ideal, but just to understand the effect of each clearly I used slightly wide-ranging timers. With the RADIUS server not reachable all along, from the time first RADIUS Access-Request is sent, it took
- 23s to detect RADIUS being down - %RADIUS-4-RADIUS_DEAD: RADIUS server 10.240.165.39:1645,1646 is not responding.
- 118s to decide the authentication result
Also, a result of 'timeout' (see below debugs; where I expected 'server dead' and thereby AAA fail policy being applied) suggests there is someother timer which got reset causing AuthMgr to 'declare' the result. I'm not able to find what that timer is and these timeout values doesn't quite add up.
*Mar 1 00:20:39.844: %SYS-5-CONFIG_I: Configured from console by test on vty0 (126.96.36.199)
*Mar 1 00:20:41.094: dot1x-packet(Fa0/9): queuing an EAPOL pkt on Auth Q
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...