Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2791
Views
0
Helpful
5
Replies

Problem with Redundant Radius Servers

corey_hatch
Level 1
Level 1

‎12-08-2003 08:17 AM - edited ‎02-20-2020 09:23 PM

I am using a Cisco 2950 Catalyst for 802.1X EAP-TLS based port security. For the radius servers, I'm using the Internet Authentication Service (IAS) for Windows 2000 Server. My problem is, when I list a second radius server for redundancy purposes on the switch, the device cannot authenticate via that server. If I remove the first radius entry and leave the second unchanged, authentication occurs successfully. The error that appears on the IAS server indicates the catalyst is including an inappropiate signature which is the same type of error is the shared secret is set incorrectly. The command I use to establish the two servers is essentially:

radius-server host <IP Address> key <shared secret>

radius-server host <IP Address2> key <shared secret>

I have also tried globalising the shared secredt by removing the key portion of the command above and adding:

radius-server key <shared secret>

but none of the combinations work. In each case, the radius server entered first works correctly and the one entered second does not.

Labels:
0 Helpful
5 Replies 5

ddrodge
Level 1
Level 1

‎01-09-2004 08:20 AM

Did you ever get a response to this? I have the same problem using IAS on two W2K server in different domains. I had to add any remote users to the first domain listed to have the authentication using the IAS server to work.

0 Helpful

corey_hatch
Level 1
Level 1
In response to ddrodge

‎01-09-2004 08:42 AM

Thanks for trying to help. We ended up getting around the problem by adding the following two commands:

radius-server retransmit 3

radius-server deadtime 1

0 Helpful

qhang
Level 1
Level 1
In response to corey_hatch

‎02-04-2004 01:15 PM

Hi,

I have a problem trying to add second radius server for redundacy. It does not seem to automatically switch over to seconadary radius server.

Thanks.

0 Helpful

corey_hatch
Level 1
Level 1
In response to qhang

‎02-05-2004 07:19 AM

I did find a solution that worked in our environment. It was to add the following commands on the client:

radius-server retransmit 3

radius-server deadtime 1

This enhanced the failover to operate correctly. Hope that helps.

0 Helpful

drigoldi
Level 1
Level 1

‎10-10-2012 03:28 AM

I had the same issue trying to introduce redundancy in my network 802.1x Authentication using IAS on Win 2k3 and NPS on Win2k8, in a multiforest scenario.

I finally got it working introducing a RADIUS Proxy (IAS on Win2k3) with 2 backend server, running respectively Win2k3 (IAS) and Win2k8 (NPS) for each forest.

That simplified my config on networke equipments, such as switches and routers, setting only one radius-server host.

In order to avoid the single point of failure introduced by the Radius proxy, I used a backup solution taking frequent snapshot of the VM running the proxy and deployng at the same time a silent VM ready to boot in case of failover.

Hope I've helped.

0 Helpful
Customers Also Viewed These Support Documents