Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

hvd
New Member

authentication failing when falling back on secondary radius server

We have a large number of Aironet 1100 Ap's installed using a radius server & backup server for LEAP authentication.

We thought everything works fine until yesterday the primary radius server died. We were no longer able to connect the wireless lan. Although telnet / http interface to an ap using the same servers for authentication & authorization works fine. When removing the failing radius server out of an Ap's config, we're back in business, so the BU-server works ok. Just a bit painful to reconfigure all ap's when having a failing server.

Any idea's why this happens, or what might be wrong ?

3 REPLIES
New Member

Re: authentication failing when falling back on secondary radius

We experienced a similiar problem the other day. For us, authentication was working on some APs and not on others. Removing the failed server would fix the problem, but was unfeasible. Once we got the primary server back online, everything was fine, but we still don't have a solution for this problem either. We are using the Odyssey server from Funk Software, but I believe the fault lies with the APs. Why it worked on some and not on others, I have no idea. We are running the latest IOS version on all of our APs. Any insight in to this issue would be appreciated.

New Member

Re: authentication failing when falling back on secondary radius

We were having a simliar problem with our 1200 APs. You can tweak:

radius-server retransmit X

radius-server timeout X

commands on the AP config. The default settings are 3 and 5. Apparently the AP only has 10 seconds to finish failing over to the secondary radius server. After 10 seconds, it will try the other (failing) server again. The default settings can cause a max of 15 seconds during a fail-over, so it will never work.

I had to set ours to as low as:

radius-server retransmit 0

radius-server timeout 2

to get fail over to work.

debug radius authentication

helps to see what is going on.

It would be really great if the AP had longer than 10 seconds for this to happen!

hvd
New Member

Re: authentication failing when falling back on secondary radius

We did have those settings in our configuration but it still failed to work. We've found another parameter which seems to have solved the problem.

-> radius-server deadtime x

There seems to be a major difference between

-> radius-server timeout x and radius-server deadtime x

Things are working now, but we're still testing it out.

182
Views
0
Helpful
3
Replies
CreatePlease to create content