Wired Intelligent Edge

Hi community,

When we migrated a clearpass cluster last week, the edge switches temporarily only connected to the secondary clearpass node as configured in the edge switches. We discovered that failover to the secondary clearpass node did not work properly and that the 802.1x clients received EAP-TLS Timouts.

This week i test the senario on one edgeswitch to find out why the switch configuration is not properly using its second radius server.

Tested switches:

• Aruba 2530 firmware 16.09.0002 and latest 16.09.0012
• Aruba 2930M firmware 16.09.0002

When fake the IP of the first radius server, the second node give only eap-tls timeout issues. When just configure one radius server cppm01 or cppm02 in the switch configuration, all works fine.

radius-server host 192.168.1.1 key ""
radius-server host 192.168.1.1 dyn-authorization
radius-server host 192.168.1.1 time-window 0
radius-server host 192.168.1.10 key ""
radius-server host 192.168.1.10 dyn-authorization
radius-server host 192.168.1.10 time-window 0

When do a show radius on the 2530 there is no "*" marked for the dead radius server.

When do a show radius on the 2930m there is a "*"marked for both server, while only the first one is faked/unreachable.

EDGESWITCH(config)# show radius

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 10 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

Auth Acct DM/ Time |
Server IP Addr Port Port CoA Window | Encryption Key OOBM
--------------- ----- ----- --- ------ + ----------------------------------------------------------------------------------------- ----
*192.168.1.1 1812 1813 Yes 0 | "" No
*192.168.1.10 1812 1813 Yes 0 | "" No

Somebody familair with this issue?

edit ---not fixed---

edit ---not fixed---

Sorry to hear the the dead timer did not solve it.

Like a said on the phone earlier, i have had issues with both radius servers being declared dead, log filled up with errors saying radius unreachable, even though the connection is stable.

Maybe a bug/false positive where the switch declares the radius server as dead, even if it is still reachable?

Hi, In case anyone is still looking for an answer, I had a really similar issue, I just changed the Deadtime and Retransmit values to 1. That will make the switch failover immediately after no response from the primary radius server.  

Switch# show radius

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 1
Timeout (seconds) : 5 
Retransmit Attempts : 1

Commands: 

radius-server deadtime 1

radius-server retransmit 1

Once the Publisher was down I was receiving a lot of Timeouts on my CPPM Subscriber server , sometimes it was taking a long time for the switch to send the request to the server, once I modified those values didn't have any more issues. 

Regards.

Randall

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*

Check if your `server-timeout` is big enough to accommodate the failover routine. It should be at least ((retransmits + 1) * radius-server timeout)*number of RADIUS servers configured).

TLDR:

I had the same issue and @Randall solutions worked for me.

After further investigation I found this:

To calculate RADIUS timeout value, use equation:

((retransmits + 1) * radius-server timeout)*number of RADIUS servers configured)

If three RADIUS servers are configured with default values of radius-server timeout and radius-server retransmit, the RADIUS timeout value will be ((3+1)*5)*3 = 60 seconds.

To apply secondary authentication methods (authorized or cached reauthentication) successfully, radius-server timeout value (as per the equation) must be lesser than the server-timeout value. If radius-server timeout value is higher than the server timeout value, the client will be placed in timed out-unauth vlan(if unauth-vid is configured) or timed out-no vlan state after trying for max-requests (default value is 3).

Where the switch has multiple RADIUS servers configured to support authentication requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on. If none of the servers respond, then the switch attempts to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH). For more information, see the Troubleshooting chapter of the Management and Configuration Guide for your switch.

My `server-timeout` < `calculated value`. After setting `aaa port-access authenticator 1 server-timeout 137` the failover worked.

The radius-server retransmits and timeout is a global switch configuration.
The server-timeout is a per port configuration.

Source: https://arubanetworking.hpe.com/techdocs/AOS-S/16.10/ASG/KB/content/asg%20kb/cnf-swi-glo-rad-par.htm