I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
Any help is appreciated. Here is my config:
set radius server 10.30.XX.XX auth-port 1812 primary
set radius server 10.18.XX.XX auth-port 1812
set radius timeout 30
set radius key EE08361
Set dot1x system-auth-control enable
set port dot1x 5/27 port-control auto
all radius and dot1x settings are at their default values
I have the same setup as yours. I use Steelbelt
radius 6.0.1 on Linux and I have Cisco 2960
catalyst. I use 802.1x over Ethernet with
PEAP, as seen below:
C2960#sh run int g0/23
Current configuration : 133 bytes
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x guest-vlan 668
C2960#sh run | inc dot
aaa authentication dot1x default group radius
dot1x guest-vlan supplicant
C2960#sh run | inc radius-
radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
Everything works and when I shutdown the
radius server process on host 192.168.15.10,
"sbrd stop", it still works with the secondary
radius server 10.250.97.26.
The difference between yours and mine is that
I am running IOS instead of CatOS.
System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
It do not believe it works with CatOS on that rev of code on the 4000. But would recommend a TAC case, nonetheless.
Make sure the radius keep alive is enabled. This helps the switch determine if the radius server is down:
set dot1x radius-keepalive enable
Let me know how that goes
Do rate helpful posts
No dice. This is message I received:
C4K> (enable) set dot1x radius-keep-alive enable
Unknown command "set dot1x radius-keep-alive". Use 'set dot1x help' for more in
Here are my options:
C4K> (enable) set dot1x ?
C4K> (enable) set dot1x
C4K> (enable) sh radius
RADIUS Deadtime: 0 minutes
RADIUS Key: EEXXXXX
RADIUS Retransmit: 2
RADIUS Timeout: 5 seconds
Framed-Ip Address Transmit: Disabled
RADIUS-Server Status Auth-port Acct-port
----------------------------- ------- ------------ ------------
10.30.XX.XX primary 1812 1813
10.18.XX.XX 1812 1813
Seems to be a bug,
Right, but it doesn't work on the 4000, since the 4000 will not make it up to this rev of code for CatOS.
I just wanted to follow up, as I have found the resolution. I was surpised that TAC did not have the answer either.
I entered the command:
set feature dot1x-radius-keepalive enable
Everything works great now. Thanks for the ideas.