Detect up/down radius server

Hello,
I was wondering how does a switch proceed to detect when one or several radius server is down.
If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:
13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.
Anyone can explain me why a such ouput?
Thank you for your help!
David

Hello,I was wondering how does a switch proceed to detect when one or several radius server is down.If
I leave only one radius server in a C3560-24PS (running with the
lastest software version) and shut all services associated with my
ACS4.2 through the web interface, I receive the following error logs:13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.Anyone can explain me why a such ouput?Thank you for your help!David
Hi David,
Following are the comments for the above messages
%RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests
For checking purpose check to see if the RADIUS server is still active.
%RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
to a new request
Hope to Help !!
Remember to rate the helpful post
Ganesh.H

Similar Messages

  • Radius server for lab work

    I am studying Routing & Switching, but I also need to have a general understanding of the security features: AAA authentication, dot1x etc. It is probably the weakest link in my chain of knowledge because I have never used those
    features.
    I really need to play with the protocols in the lab to get a basic understanding of them. Is there some cut-down Radius server, preferably freeware running on a PC, that can be used for basic lab work? Can someone guide me through obtaining and installing it?
    Kevin Dorrell
    Luxembourg

    Hi Kevin
    You should be able to get an eval license for Cisco's Secure ACS that you could use in the lab. It is free for download on the Cisco site.
    It does run out after 3 months so it depends on how long you need it for.
    The other option is to use the Microsoft Radius server (IAS) which comes with the W2K Advanced server. I haven't used it so i can't really comment other than that.
    HTH
    Jon

  • WCS reports Radius server port 1813 up and down.

    Hi all,
    Help me on this, please. I use Radius server 172.20.104.253 and .254 port 1812 to authenticate some wireless clients. However, the .254 keep failling, deactivate on port 1813 (this is from the log); resulting some clients can't authenticate. How do I approach this? Why port 1813 fail effect the authentication which is on port 1812 ?
    Thanks.

    jedubois!
    I use Cisco ACS as my radius. For laptops, instead using pre-shared key, I use radius to authenticated the laptop. I create user/password on AD (username is laptop name). On laptop under Intel Proset/Wireless utility, I create a profile with this username. Upon startup, the Proset/Wireless utility authenticates this user this radius server; then gives the laptop wireless connectivity; no pre-shared key needed.
    On the WCS event view; radius server is timeout (activated and deactivated) every 2 seconds (like you said; it is default). But is on port 1813 and I config radius server on WCS on port 1812.
    My questions are what is ideal timeout on each radius server? and why radius server report timeout on port 1813 instead of 1812?
    FYI, I ping -t both of my radius servers. And radius servers are available all the time.
    Regards.

  • How to set two radius servers one is window NPS another is cisco radius server

    how to set two radius servers one is window NPS another is cisco radius server
    when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
    i can not use both at the same time
    radius-server host 192.168.1.3  is window NPS
    radius-server host 192.168.1.1 is cisco radius
    http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
    conf t
    no aaa authentication login default line
    no aaa authentication login local group radius
    no aaa authorization exec default group radius if-authenticated
    no aaa authorization network default group radius
    no aaa accounting connection default start-stop group radius
    aaa new-model
    aaa group server radius IAS
     server 192.168.1.1 auth-port 1812 acct-port 1813
     server 192.168.1.3 auth-port 1812 acct-port 1813
    aaa authentication login userAuthentication local group IAS
    aaa authorization exec userAuthorization local group IAS if-authenticated
    aaa authorization network userAuthorization local group IAS
    aaa accounting exec default start-stop group IAS
    aaa accounting system default start-stop group IAS
    aaa session-id common
    radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
    radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
    radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
    radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
    privilege exec level 1 show config
    ip radius source-interface Gi0/1
    line vty 0 4
     authorization exec userAuthorization
     login authentication userAuthentication
     transport input telnet
    line vty 5 15
     authorization exec userAuthorization
     login authentication userAuthentication
     transport input telnet
    end
    conf t
    aaa group server radius IAS
     server 192.168.1.3 auth-port 1812 acct-port 1813
     server 192.168.1.1 auth-port 1812 acct-port 1813
    end

    The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
    If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Trying to implement EAP/TLS using java (as part of RADIUS server)

    Hi
    This is a cross port since I didn't know which forum to post in!
    I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
              KeyStore ksKeys = KeyStore.getInstance("JKS");
                ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ksKeys, passphrase);
                KeyStore ksTrust = KeyStore.getInstance("JKS");
                ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                tmf.init(ksKeys);
                sslContext = SSLContext.getInstance("TLS");
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                sslEngine = sslContext.createSSLEngine();
                sslEngine.setUseClientMode(false);
                sslEngine.setNeedClientAuth(true);
                sslEngine.setWantClientAuth(true);
                sslEngine.setEnableSessionCreation(true);
                appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
                appBuffer.clear();
                netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
                netBuffer.clear();All I want to do with TLS is a handshake.
    I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
           SSLEngineResult result = null;
            SSLEngineResult.HandshakeStatus hsStatus = null;
            if( internalState != EAPTLSState.Handshaking ) {
                if( internalState == EAPTLSState.None ) {
                    TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                    peerIdentity = tlsPacket.getData();
                    internalState = EAPTLSState.Starting;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
                    return;
                else if(internalState == EAPTLSState.Starting ) {
                    internalState = EAPTLSState.Handshaking;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
            TLSPacket tlsPacket = new TLSPacket( packet.getData() );
            netBuffer.put( tlsPacket.getData() );
            netBuffer.flip();
            while(true) {
                hsStatus = sslEngine.getHandshakeStatus();
                if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                    Runnable task;
                    while((task=sslEngine.getDelegatedTask()) != null) {
                        new Thread(task).start();
                else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                    try {
                        result = sslEngine.unwrap( netBuffer, appBuffer );
                    } catch (SSLException e) {
                        e.printStackTrace();
                else {
                    return;
            }When I try to send data I use the following code:
               SSLEngineResult.HandshakeStatus hsStatus = null;
                SSLEngineResult result = null;
    //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
                netBuffer.clear();
                while(true) {
                    hsStatus = sslEngine.getHandshakeStatus();
                    if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                        Runnable task;
                        while((task=sslEngine.getDelegatedTask()) != null) {
                            new Thread(task).start();
                    else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                        try {
                            result = sslEngine.wrap( dummyBuffer, netBuffer );
                        } catch (SSLException e) {
                            e.printStackTrace();
                    else {
                        if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                            int size = Math.min(result.bytesProduced(),this.MTU);
                            byte [] tlsData = new byte[size];
                            netBuffer.flip();
                            netBuffer.get(tlsData,0,size);
                            TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                            if( size < result.bytesProduced() ) {
                                tlsPacket.setFlag(TLSFlag.MoreFragments);
                            return new EAPTLSRequestPacket( ID,
                                    (short)(tlsPacket.getData().length + 6),
                                    stateMachine.getCurrentMethod(), tlsPacket );
                        else {
                            return null;
                    }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
    Any help wold be most greatfull, if any questions or anything unclear plz let me know.
    add some additional information here is a debug output
    Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
    [Raw read]: length = 5
    0000: 16 03 01 00 41 ....A
    [Raw read]: length = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-2, READ: TLSv1 Handshake, length = 65
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
    1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
    50, 201 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
    _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
    SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
    PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
    S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
    Compression Methods: { 0 }
    [read] MD5 and SHA1 hashes: len = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-5, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
    Thread-5, WRITE: TLSv1 Alert, length = 2
    Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
    ception: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
    92)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
    mpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
    pl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
    26)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
    va:153)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
    eMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
    ava:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
    352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
    rHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
    haker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
    ndshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
    95)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
    java:930)
    ... 1 more

    I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

  • WLC Radius Server Load Balance

    Hi,
    Can someone provide me detailed description on how WLC Radius Server Load balance works.
    Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
    Any response will be very appreciated
    -Angela

    Hi Angela,
    I pasted below the part of config guide explaining the different modes. In summary :
    -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
    -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
    -Active means : WLC constantly sends radius probes to detect when primary is back up.
    config radius fallback-test mode {off | passive | active}
    where
    •off disables RADIUS server fallback.
    •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

  • WPA2 and Radius server configuration

    On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
    is described how to setup a WPA2 and Radius server.
    If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
    Normal WPA2 personal, without Radius does work.
    I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
    The IOS version is 12.3(8)JA2.
    Does anyone know what to do?
    Haik

    Hello,
    I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
    Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
    But even if I fill it in correctly (copy / paste) it does not work.
    So what can be wrong with this configuration?
    Haik

  • Primary-secondary radius server configuration

    Hi all ,
          I have a couple of ACS 5.2 configured as active and backup and I am   doing dot 1x authentication using these servers . I have configured the  switch with the bellow configuration.
    radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
    radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
    radius-server key 7 aaaaaaaaaaaaaa
    please help to understand what will happen in switch
    1) in case of primary failure
    2)in case if primary returns alive .
    thanks in advance ,
    Selva

    Hi Selva,
    You need to post all your AAA config. the above lines show you added the radius servers but it is not necessarily all server will be reached. We need to look into the AAA config to see what server groups are configured and what servers under the groups.
    In general, if things are configured correctly:
    - If the primary did not reply at all (down, not reachable...etc) the AAA client (switch in your case) will try the next radius server.
    - If the primary server replies (with access-reject, error, ...etc) the AAA client (switch in your case) send auth failure to the host.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • RADIUS Server High Availability?

    Hi,
    I have two RADIUS servers in my network (one to be the failover serv) and one of them has been having problems, the server is not getting down but the radius service is getting crashed. Don't know why the failover server doesn't respond the authentication for the users if the books said that this is something automatic.
    Is there one command to allow the switch to recognize if the service is down in one of the radius servers and automatically use the other one to authenticate the users?.
    tks

    Hi,
    In switches you need to configure two radius server with secret key along with,so as per the sequence in the IOS the request will directed to radius servers.
    Below will the command to configure tacas/radius server in switches
    tacacs-server host 10.1.x.x
    tacacs-server host 10.2.x.x
    Hope that help out your query !!
    Regards
    Ganesh.H

  • Programming tacacs &radius server-keys ?

    I'm having an issue programming the tacacs & radius server-keys. I'm not sure if I missed a step or my use of the syntax. I appreciate any help you can provide. It's a first time for me and I'm attempting to duplicate an existing switch which states server-key 7 <removed>. 
    Thanks
    Roy

    Roy
    I can appreciate that the first time doing this can seem daunting. But it really is not so difficult when you get right down to it.
    The first thing to understand is that in the existing config the key has already been encrypted for storage on the switch. So what you see in the running config is crypto text and not really the exact key.
    You have two options in how to configure your new switch:
    - you could cut and paste the server key from the existing config to the new switch. So you would be inputting the type 7 encrypted key directly to the new switch.
    - you could manually configure the key on the new switch. In this case you would configure
    server-key <key_value>
    where <key_value> is the clear text key to use. If you do this, and assuming that you have configured service password-encryption, then the switch will take the clear text key and will encrypt it for storage on the new switch.
    HTH
    Rick

  • How to know if the radius server is working through APs?...

    Hello guys,
         I have the next escenario, 9 APs 1142 installed that at the same time they connect a one RADIUS server to secure the network,
         (Wireless clints -- APs -- RADIUS server -- Aplications/Internet )
         Now, we have to add another RADIUS Server, this is in case of the primary  server falls, the other one comes in action, the configuration
         has been made, however has not bee tested, we can not  shut down the primary RADIUS server this is because it
         cointains more applications, one way that could test if the backup radious server si working, is to delete of the configuration the primary
         radious server, how can I know if the backup server is working? exist one command in the IOS of AP to know if the RADIOUS server is working??..
         Regards!

    if this is an IOS setup you can use the test command:
    test aaa group radius blahblah blahblah new-code
    **blahblah being he username and password you want to send.  It doesn't have to be valid, just need a response.
    HTH,
    Steve
    Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

  • Cisco Switch connecting to Radius Server

    Hello Team,
    I discovered that anytime the Uplink of my Cisco C2960CG-8TC-L goes down and reconnects, before the switch connects with the Radius Server, the access ports starts to connect into Guest VLAN, which is not the correct production VLAN that has been assigned to the Mac addresses.
    I thought I could resolve this with Link state track Upstream and Downstream, but it's not working effectively.
    The solution to the problem should be when the UPLINK port does down for whatsoever reason and comes back up, it should communicate with the Radius Server first, thereafter the access ports comes up and connect to the assigned Production VLAN not the Guest VLAN.
    How do I achieve this? Any positive advise would be highly appreciated. Configuration can be uploaded if needed.
    Thanks
    Peter

    I haven't ever done it, but I think you can set up the Access point as a radius server. Then configure Mac authentication and either filter with the local list or an access list.
    Thanks,
    Alex

  • Cisco AAA authentication with windows radius server

    Cisco - Windows Radius problems
    I need to created a limited access group through radius that I can have new network analysts log into
    and not be able to commit changes or get into global config.
    Here are my current radius settings
    aaa new-model
    aaa group server radius IAS
     server name something.corp
    aaa authentication login USERS local group IAS
    aaa authorization exec USERS local group IAS
    radius server something.corp
     address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
     key mypassword
    line vty 0 4
     access-class 1 in
     exec-timeout 0 0
     authorization exec USERS
     logging synchronous
     login authentication USERS
     transport input ssh
    When I log in to the switch, the radius server is passing the corrrect attriubute
    ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
    The switch is accepting it and putting you in the correct priv level.
    ***Radius-Test#sh priv
       Current privilege level is 7
    I am not sure why it logs you in with the prompt for  privileged EXEC mode when
    you are in priv level 7. This shows that even though it looks like your in priv exec
    mode, you are not.
    ***Radius-Test#sh run
                    ^
       % Invalid input detected at '^' marker.
       Radius-Test#
    Now this is where I am very lost.
    I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
    global config mode.
    ***Radius-Test#enable
       Radius-Test#
    Debug log -
    Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
    ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
    ***Radius-Test#sh priv
       Current privilege level is 15
       Radius-Test#
    I have tried to set
    ***privilege exec level 15 enable
    It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
    Even if I try to do
    ***privilege exec level 7 show running-config (or other variations)
    It will allow you to type sh run without errors, but it doest actually run the command.
    What am I doing wrong?
    I also want to get PKI working with radius.

    I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
    Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

  • Accounting-Start and Accounting-Stop recorded on diffrent RADIUS server.

    1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
    2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
    To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it  an issue for RADIUS application ?
    Cheers,

    It is my understanding that the 'NAS_PORT' value in authentication and accounting request are unique and a different value for each authentication request allows it to identify those users that are logged in. However, sending one Acct-Unique-Session-Id at the Start and a different one at stop does sound fishy. However, I could not find any bugs related to this problem. Do let me know if you manage to locate something.

  • Doubts on Radius Server

    1. Suppose we have mutliple Radius server in a Netowrk. If primary Radius server goes down , how secondary server will come into the picture..
    2. Where can we check ,which Radius server is active (Primary or secondary Radius server)
    3. Is there any limit like one server can authenticate a number of clients?
    Thanks
    Sri

    Sri,
    1) Its the NAS that brings up secondary radius server. First it will try hitting primary radius server and if there is no response it will then try seoncdary radius.
    2) On ASA you can use this command to check the server status,
    ASA# show aaa-server protocol radius
    On IOS
    Switch#show aaa servers
    RADIUS: id 3, priority 1, host 192.168.26.119, auth-port 1645, acct-port 1646
         State: current UP, duration 151040s, previous duration 0s
         Dead: total time 0s, count 0
         Quarantined: No
         Authen: request 6, timeouts 0
                 Response: unexpected 0, server error 0, incorrect 0, time 190ms
                 Transaction: success 6, failure 0
         Author: request 0, timeouts 0
                 Response: unexpected 0, server error 0, incorrect 0, time 0ms
                 Transaction: success 0, failure 0
         Account: request 0, timeouts 0
                 Response: unexpected 0, server error 0, incorrect 0, time 0ms
                 Transaction: success 0, failure 0
         Elapsed time since counters last cleared: 1d17h33m
    RADIUS: id 4, priority 2, host 192.168.1.99, auth-port 1645, acct-port 1646
         State: current UP, duration 151040s, previous duration 0s
         Dead: total time 0s, count 0
         Quarantined: No
         Authen: request 0, timeouts 0
                 Response: unexpected 0, server error 0, incorrect 0, time 0ms
                 Transaction: success 0, failure 0
         Author: request 0, timeouts 0
                 Response: unexpected 0, server error 0, incorrect 0, time 0ms
                 Transaction: success 0, failure 0
         Account: request 0, timeouts 0
                 Response: unexpected 0, server error 0, incorrect 0, time 0ms
                 Transaction: success 0, failure 0
         Elapsed time since counters last cleared: 0m
    3) I'm not aware of any limit that can be configured on radius. But there are certain paremeters you can set up (That depends on verdor)
    Regards,
    ~JG
    Do rate helpful posts

Maybe you are looking for

  • Purchasing a developer account!

    Hi, Yesterday I  purchased an individual developer account from Microsoft. I received an email from Windows Store team greeting me for the purchase and suggested me a link to go to dashboard to reserve and submit apps, but I cant access my dashboard,

  • Consignment to consignment sales issue

    Hi Experts, We want to go alive with SAP in one of our subsidiaries. The sales process with this subsidiary is that we sale to the subsidiary and the subsidiary sales to his customer. Both sales are consignment, means we bill the subsidiary only afte

  • Unparseable date error

    hi, i 've developed and application, in which at some point it compares dates. i have used win2k (english) version for development evn. when the qa is testing it on non english w2k, they are getting unparseable date error. =========== WARNUNG: java.t

  • Exponential fade on Adobe Premiere Pro CS4

    I  am using Adobe Premiere Pro CS4. I have recorded some voice. And I am deleting a few words, so I use the razor tools to cut the starting and end points of the uwanted audio. Then i ripple delete it. To make it smooth, I try to apply the exponentia

  • Why won't my contact folder open

    My constants will not open