Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

puckstopper

4 Posts

43809

May 7th, 2012 15:00

PC 5548 Failover Radius IAS not working with 802.1x

 

PC 5548  Failover Radius IAS not working with 802.1x

Hi- I’m looking for some help or leads to help me with this.

Clients can authorize with either server IAS1 or IAS2, but if client authorizes on IAS1 and then re-authentictes  (ie re-docks) while IAS1 is down, IAS2 has no connection attempt recorded and the client’s security log states

A request was made to authenticate to a wired network.

Subject:

Security ID:                         host/1x.mydomain.com

                Account Name:                 -

                Account Domain:                             -

                Logon ID:                             0x0

Interface:

                Name:                                  Intel(R) 82579LM Gigabit Network Connection

Additional Information

                Reason Code:                    Explicit Eap failure received (0x50005)

                Error Code:                         0x40420110

 

Logs from switch record (with my comments) –start at bottom

 

2147482623     07~May~2012 16:07:17    Warning      %STP-W-PORTSTATUS: gi1/0/24: STP status Forwarding        

 2  2147482624     07~May~2012 16:06:47    Info         %LINK-I-Up:  gi1/0/24      

  I then plug cable back in but there is no corresponding log entry on the IAS2 server so I don’t believe it is contacted

3  2147482625     07~May~2012 16:06:47    Warning      %SEC-W-PORTUNAUTHORIZED: Port gi1/0/24 is unAuthorized      

 

4  2147482626     07~May~2012 16:06:21    Warning      %LINK-W-Down:  gi1/0/24        

I then unplug cable and disable IAS service on IAS1 

 

5  2147482627     07~May~2012 16:04:06    Warning      %STP-W-PORTSTATUS: gi1/0/24: STP status Forwarding        

 6  2147482628     07~May~2012 16:03:41    Info         %SEC-I-PORTAUTHORIZED: Port gi1/0/24 is Authorized        

 7  2147482629     07~May~2012 16:03:36    Info         %LINK-I-Up:  gi1/0/24     

Section above records successful auth with IAS1

 

The Dell 5548 switch (firmware 4.0.1.12 ) has both IAS servers specified and I’ve tried varying priority settings on the configuration of each- both at zero or one at zero and the other at 100 as I’m not clear what that should be set to for fault tolerance

The basic setup  is Domain with Win2003 IAS servers with self signed certs pushed out via GPO so that it ends up in the trusted root certificate authorities computer cert store. I’ve tried with IAS1’s cert on both the IAS servers or unique certs for each server for the MS-CHAP V2  PEAP and allow policy set for domain computers

Clients WIN7 Pro 64 configured to use computer authentication and verify certs

IAS failover works fine between these servers for other purposes such as VPN access

And remember PC’s will auth to both IAS servers- just not switch between them when one is down

Any ideas???

 

Thanks for reading

puckstopper

4 Posts

May 14th, 2012 09:00

This turned out to be that stopping the IAS service (as I was doing to test) is not enough to cause a failover- the server must actually be non-pingable or truly down. When I shut it down completely it failed over.

This means that if the IAS service stops or is stopped inadvertently- no fail over and no access. To protect against this we setup our monitoring software to check the two IAS servers IAS service is running

I don’t know that it played a role but the settings I used were:

Default Retries (1-10)    4

Default Timeout for Reply (1-30)  (Sec)   1

Default Dead Time (0-2000)  (Min)   10 (to allow reboots for updates etc)

Default Key String (0-128 Characters)    

Source IPv4 Address    

Source IPv6 Address   (X:X:X:X::X)  

DELL-Willy M

802 Posts

May 7th, 2012 19:00

Have you tried implementing any of these features?

 

Number of Retries (1-10) — Enter the number of requests sent to the

RADIUS server before a failure occurs.

 

radius-server timeout

Use the radius-server timeout Global Configuration mode command to set

the time interval during which the device waits for a server host to reply. Use

the no form of this command to restore the default configuration.

 

Timeout for Reply (1-30) — The amount of the time in seconds that

the device waits for an answer from the RADIUS server before retrying

the query, or switching to the next server.

 

radius-server deadtime

Use the radius-server deadtime Global Configuration mode command to

configure the time interval during which unavailable RADIUS servers are

skipped over by transaction requests. This improves RADIUS response time

when servers are unavailable. Use the no form of this command to restore the

default configuration.

 

Dead Time (0-2000) — The amount of time (in minutes) that a

RADIUS server is bypassed for service requests.

 

They are discussed with CLI examples starting on page 252 of the CLI User Guide.

 

55xx CLI User Guide:

 

http://support.dell.com/support/edocs/network/pc5524/en/CLI/PDF/en_cli.pdf

 

 

Hope this helps,

puckstopper

4 Posts

May 8th, 2012 07:00

Thanks for your input Willy M-

I had read the help links associated with those settings, but with so many variables it seems very hit and miss to test with.I'm only piloting 3 ports with .1x but it is my production network at this time after working out the other settings in a lab environment. I’ll forge ahead but if anyone has some starting point suggested settings for two Radius serves on a fast LAN connection I’d love to know what worked- either in a round robin fashion or just fault tolerant. I’ll update any progress I make. Thanks

Was this post helpful?

View All

0 events found

No Events found!

Top