802.1x Radius failover

[amnewman08]

I've got 802.1x machine authentication (with certificates) working on my Active Directory based network. My problem arises when I try to configure a second radius server on my cisco 2950 (standard image) switch. If the first radius server listed in the switch's configuration is offline the port authentication fails. I've switched the radius server configuration entries around on the switch so I know both servers will authenticate but the switch only seems to work with the first radius server listed.

Could this be a limitation of the Standard Image IOS?

Any help would be appreciated.

 

[burtsbees]

Post a config please.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[amnewman08]

Test Switch Config:

version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxx
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
enable secret 5 xxxx
!
username adam secret 5xxxxxxxx
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/24
!
interface Vlan1
ip address 192.168.26.2 255.255.255.0
no ip route-cache
!
ip http server
radius-server host 192.168.26.11 auth-port 1812 acct-port 1813 key xxxx
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key xxxx
radius-server retransmit 3
!
line con 0
line vty 0 4
password 7 xxxx
line vty 5 15
!
!
end

 

[unclerico]

try creating a radius server group:

aaa group server radius <groupname>
  host 192.168.26.11
  host 192.168.26.10

aaa authentication dot1x default group <groupname>
aaa authentication network default group <groupname>

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[amnewman08]

Added the Radius group as shown below:

aaa group server radius RadiusTest
server 192.168.26.10 auth-port 1812 acct-port 1813
server 192.168.26.11 auth-port 1812 acct-port 1813


aaa authentication dot1x default group RadiusTest
aaa authorization network default group RadiusTest

I still am having the same issue. When it marks 192.168.26.10 as dead it tries 192.168.26.11 but the port never authenticates.

The final messages I get from the Radius debug are:

00:49:48: RADIUS: Marking server 192.168.26.10:1812,1813 dead
00:49:48: RADIUS: Re-signed packet (key: cisco2950; rctx: 0x80D239E0)
00:49:48: RADIUS: Trying next server (192.168.26.11:1812,1813) for id54
00:49:48: RADIUS: Retransmit id 54
00:49:48: RADIUS: Received from id 54 192.168.26.11:1812, Access-Challenge, len
77
00:49:48: Attribute 27 6 0000001E
00:49:48: Attribute 79 8 01010006
00:49:48: Attribute 24 25 1BFC0313
00:49:48: Attribute 80 18 49A36780
00:49:48: RADIUS: EAP-login: length of eap packet = 6
00:49:48: RADIUS: EAP-login: got challenge from radius

Then it just stops.

Thanks