Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Do the Cisco 2950 or 2960 support multiple radius servers?

Do the Cisco 2950 or 2960 support multiple radius servers? In case one radius server is down, I would like to have the switch try another radius server.

I tried this:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

radius-server host 172.30.0.27 auth-port 1812 acct-port 1813

radius-server host 172.30.0.28 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key 123456

When I turned off .0.27 at 10:00 PM, no systems tried to authenticate with .0.28 the next morning. I had to turn back on the radius service on .0.27 in order for systems to connect to the network again.

Following is the Debug log:

11w2d: RADIUS: ustruct sharecount=1

11w2d: RADIUS: EAP-login: length of radius packet = 143 code = 1

11w2d: RADIUS: Initial Transmit FastEthernet0/13 id 12 172.30.0.27:1812, Access-

Request, len 143

11w2d: Attribute 4 6 AC1C003E

11w2d: Attribute 5 6 0000C35D

11w2d: Attribute 61 6 0000000F

11w2d: Attribute 1 16 7A68616E

11w2d: Attribute 30 19 30302D30

11w2d: Attribute 31 19 30302D31

11w2d: Attribute 6 6 00000002

11w2d: Attribute 12 6 000005DC

11w2d: Attribute 79 21 02000013

11w2d: Attribute 80 18 65CF0F80

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Marking server 172.30.0.27:1812,1813 dead

11w2d: RADIUS: Re-signed packet (key: 123456; rctx: 0x80D82308)

11w2d: RADIUS: Trying next server (172.30.0.28:1812,1813) for id12

11w2d: RADIUS: Retransmit id 12

11w2d: RADIUS: Received from id 12 172.30.0.28:1812, Access-Challenge, len 80

11w2d: Attribute 79 24 01010016

11w2d: Attribute 24 18 30336165

11w2d: Attribute 80 18 05C14D55

11w2d: RADIUS: EAP-login: length of eap packet = 22

11w2d: RADIUS: EAP-login: got challenge from radius

11w2d: RADIUS: ustruct sharecount=1

11w2d: RADIUS: EAP-login: length of radius packet = 178 code = 1

11w2d: RADIUS: Initial Transmit FastEthernet0/13 id 13 172.30.0.27:1812, Access-

Request, len 178

11w2d: Attribute 4 6 AC1C003E

11w2d: Attribute 5 6 0000C35D

11w2d: Attribute 61 6 0000000F

11w2d: Attribute 1 16 7A68616E

11w2d: Attribute 30 19 30302D30

11w2d: Attribute 31 19 30302D31

11w2d: Attribute 6 6 00000002

11w2d: Attribute 12 6 000005DC

11w2d: Attribute 24 18 30336165

11w2d: Attribute 79 38 02010024

11w2d: Attribute 80 18 D118E3CD

11w2d: RADIUS: Retransmit id 13

11w2d: RADIUS: Retransmit id 13

11w2d: RADIUS: Retransmit id 13

11w2d: RADIUS: Marking server 172.30.0.27:1812,1813 dead

11w2d: RADIUS: Re-signed packet (key: 123456; rctx: 0x80D82360)

11w2d: RADIUS: Trying next server (172.30.0.28:1812,1813) for id13

11w2d: RADIUS: Fail-over denied to (172.30.0.28:1812,1813) for id13

11w2d: RADIUS: No response for id 13

Any suggestions would be greatly appreciated.

Thanks.

2 REPLIES
Hall of Fame Super Bronze

Re: Do the Cisco 2950 or 2960 support multiple radius servers?

According to the documentation, multiple RADIUS servers are supported:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_r1.html#wp1049418

I suggest removing .27 and leave .28 by itself and verify if the problem is due to having multiple RADIUS entries vs incorrect setting on the .28 server.

HTH,

__

Edison.

New Member

Re: Do the Cisco 2950 or 2960 support multiple radius servers?

Thanks for your suggestion. I am sure the .28 server is ok, it can be work properly alone.

I will try the command : radius-server load-balance .

798
Views
0
Helpful
2
Replies