Comware

Do the Procurve 2650's support multiple radius servers? In case one radius server is down, I would like to have the switch try another radius server.

I tried this:
radius-server host 172.16.x.y mykey
radius-server host 172.16.x.z mykey

When I turned off .x.y at 10:00 PM, no systems tried to authenticate with .x.z the next morning. I had to turn back on the radius service on .x.y in order for systems to connect to the network again.

Any suggestions would be greatly appreciated.

Thanks,
-John

hi John
can you make multiple IAS server configuration
on your servers

http://technet2.microsoft.com/windowsserver/en/library/39af9f9e-cb80-440a-ab62-d4a8ce04e4c91033.mspx?mfr=true

cenk

cenk,

I am using two FreeRadius.net servers, both on top of Windows 2003. I could use ISA, but I don't think this is the problem.

The problem is that .x.z never gets queried as if the 2650 does not even try to send an allow access request.

Any ideas on how to get the 2650 to fail-over and send requests to x.z if x.y fails and/or times out?

Thanks,
-John

hi John
I in this day test two microsoft IAS radius server and 2650 switch .my test successfully working

please send me your all switch log when first radius server down.

cenk

hi
please send me your 2650 show run print

I have attached my 'show run'

Thanks for helping me,
-John

a few comments and questions:

1) yes, you can support up to 3 radius servers on a 2650...

2) in your 'show run' i did not see a command that allows the switch to send the 802.1x auth functions to the radius servers...it may have been simply edited out when you did the edits...

it should be something like this:
'aaa authentication port-access eap-radius'

3) i assume in each of the freeradius server configs (Clients.conf) you have defined the 2650 as a radius client with the same shared secret...

4) on radius server x.z, if you looked at the /var/log/radius/radius.log did you see requests coming from the 2650?

5) finally, if you remove the x.y radius server config in the 2650, does it work?

'no radius-server host 172.16.x.y mykey'

hth...jeff

hi John
attach your config
(config)#aaa authentication port-access eap radius
(config)#aaa accounting network star-stop radius

and primary radius server down you make wait several minute

cenk

Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds).
â ¢
Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.)
â ¢
Determine whether you want to bypass a RADIUS server that fails to respond to requests for service. To shorten authentication time, you can set a bypass period in the range of 1 to 1440 minutes for non-responsive servers. This requires that you have multiple RADIUS servers accessible for service requests

please read this doc.

ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap05-RADIUS.pdf

and update your switch H_10_50.swi

cenk

Hello all, Cenk, i've read through the document you recommended, just wanted to know do you HAVE to configure the dead timer and retransmit options to allow multiple RADIUS servers to be used?

 

I am attempting to use 2 RADIUS servers for 802.1x port authentication, they both work individually, but when i enter two different entries for radius-server host x.x.x.x key ZZZyy, only the first one works.

 

The real difficulty i am having is that seperately, when there is only one radius server entry, everything works, ports are authenticated successfully. Tried configuring dead timer also, and after the timer expires in the switch logs i can see requests are no longer being sent to that server, and they are being sent to the other server instead, but still not authenticating.

 

Any help is appreciated.