Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with Redundant Radius Servers

I am using a Cisco 2950 Catalyst for 802.1X EAP-TLS based port security. For the radius servers, I'm using the Internet Authentication Service (IAS) for Windows 2000 Server. My problem is, when I list a second radius server for redundancy purposes on the switch, the device cannot authenticate via that server. If I remove the first radius entry and leave the second unchanged, authentication occurs successfully. The error that appears on the IAS server indicates the catalyst is including an inappropiate signature which is the same type of error is the shared secret is set incorrectly. The command I use to establish the two servers is essentially:

radius-server host <IP Address> key <shared secret>

radius-server host <IP Address2> key <shared secret>

I have also tried globalising the shared secredt by removing the key portion of the command above and adding:

radius-server key <shared secret>

but none of the combinations work. In each case, the radius server entered first works correctly and the one entered second does not.

5 REPLIES
New Member

Re: Problem with Redundant Radius Servers

Did you ever get a response to this? I have the same problem using IAS on two W2K server in different domains. I had to add any remote users to the first domain listed to have the authentication using the IAS server to work.

New Member

Re: Problem with Redundant Radius Servers

Thanks for trying to help. We ended up getting around the problem by adding the following two commands:

radius-server retransmit 3

radius-server deadtime 1

New Member

Re: Problem with Redundant Radius Servers

Hi,

I have a problem trying to add second radius server for redundacy. It does not seem to automatically switch over to seconadary radius server.

Thanks.

New Member

Re: Problem with Redundant Radius Servers

I did find a solution that worked in our environment. It was to add the following commands on the client:

radius-server retransmit 3

radius-server deadtime 1

This enhanced the failover to operate correctly. Hope that helps.

New Member

Problem with Redundant Radius Servers

I had the same issue trying to introduce redundancy in my network 802.1x Authentication using IAS on Win 2k3 and NPS on Win2k8, in a multiforest scenario.

I finally got it working introducing a RADIUS Proxy (IAS on Win2k3) with 2 backend server, running respectively Win2k3 (IAS) and Win2k8 (NPS) for each forest.

That simplified my config on networke equipments, such as switches and routers, setting only one radius-server host.

In order to avoid the single point of failure introduced by the Radius proxy, I used a backup solution taking frequent snapshot of the VM running the proxy and deployng at the same time a silent VM ready to boot in case of failover.

Hope I've helped.

1509
Views
0
Helpful
5
Replies
CreatePlease to create content