PC 5548 Failover Radius IAS not working with 802.1x

Network Switches

Network Switches
Information and ideas on Dell PowerConnect network switch solutions.

PC 5548 Failover Radius IAS not working with 802.1x

This question is answered

 

PC 5548  Failover Radius IAS not working with 802.1x

Hi- I’m looking for some help or leads to help me with this.

Clients can authorize with either server IAS1 or IAS2, but if client authorizes on IAS1 and then re-authentictes  (ie re-docks) while IAS1 is down, IAS2 has no connection attempt recorded and the client’s security log states

A request was made to authenticate to a wired network.

Subject:

Security ID:                         host/1x.mydomain.com

                Account Name:                 -

                Account Domain:                             -

                Logon ID:                             0x0

Interface:

                Name:                                  Intel(R) 82579LM Gigabit Network Connection

Additional Information

                Reason Code:                    Explicit Eap failure received (0x50005)

                Error Code:                         0x40420110

 

Logs from switch record (with my comments) –start at bottom

 

2147482623     07~May~2012 16:07:17    Warning      %STP-W-PORTSTATUS: gi1/0/24: STP status Forwarding        

 2  2147482624     07~May~2012 16:06:47    Info         %LINK-I-Up:  gi1/0/24      

  I then plug cable back in but there is no corresponding log entry on the IAS2 server so I don’t believe it is contacted

3  2147482625     07~May~2012 16:06:47    Warning      %SEC-W-PORTUNAUTHORIZED: Port gi1/0/24 is unAuthorized      

 

4  2147482626     07~May~2012 16:06:21    Warning      %LINK-W-Down:  gi1/0/24        

I then unplug cable and disable IAS service on IAS1 

 

5  2147482627     07~May~2012 16:04:06    Warning      %STP-W-PORTSTATUS: gi1/0/24: STP status Forwarding        

 6  2147482628     07~May~2012 16:03:41    Info         %SEC-I-PORTAUTHORIZED: Port gi1/0/24 is Authorized        

 7  2147482629     07~May~2012 16:03:36    Info         %LINK-I-Up:  gi1/0/24     

Section above records successful auth with IAS1

 

The Dell 5548 switch (firmware 4.0.1.12 ) has both IAS servers specified and I’ve tried varying priority settings on the configuration of each- both at zero or one at zero and the other at 100 as I’m not clear what that should be set to for fault tolerance

The basic setup  is Domain with Win2003 IAS servers with self signed certs pushed out via GPO so that it ends up in the trusted root certificate authorities computer cert store. I’ve tried with IAS1’s cert on both the IAS servers or unique certs for each server for the MS-CHAP V2  PEAP and allow policy set for domain computers

Clients WIN7 Pro 64 configured to use computer authentication and verify certs

IAS failover works fine between these servers for other purposes such as VPN access

And remember PC’s will auth to both IAS servers- just not switch between them when one is down

Any ideas???

 

Thanks for reading

Verified Answer
  • This turned out to be that stopping the IAS service (as I was doing to test) is not enough to cause a failover- the server must actually be non-pingable or truly down. When I shut it down completely it failed over.

    This means that if the IAS service stops or is stopped inadvertently- no fail over and no access. To protect against this we setup our monitoring software to check the two IAS servers IAS service is running

    I don’t know that it played a role but the settings I used were:

    Default Retries (1-10)    4

    Default Timeout for Reply (1-30)  (Sec)   1

    Default Dead Time (0-2000)  (Min)   10 (to allow reboots for updates etc)

    Default Key String (0-128 Characters)    

    Source IPv4 Address    

    Source IPv6 Address   (X:X:X:X::X)  

All Replies
  • Have you tried implementing any of these features?

     

    Number of Retries (1-10) — Enter the number of requests sent to the

    RADIUS server before a failure occurs.

     

    radius-server timeout

    Use the radius-server timeout Global Configuration mode command to set

    the time interval during which the device waits for a server host to reply. Use

    the no form of this command to restore the default configuration.

     

    Timeout for Reply (1-30) — The amount of the time in seconds that

    the device waits for an answer from the RADIUS server before retrying

    the query, or switching to the next server.

     

    radius-server deadtime

    Use the radius-server deadtime Global Configuration mode command to

    configure the time interval during which unavailable RADIUS servers are

    skipped over by transaction requests. This improves RADIUS response time

    when servers are unavailable. Use the no form of this command to restore the

    default configuration.

     

    Dead Time (0-2000) — The amount of time (in minutes) that a

    RADIUS server is bypassed for service requests.

     

    They are discussed with CLI examples starting on page 252 of the CLI User Guide.

     

    55xx CLI User Guide:

     

    http://support.dell.com/support/edocs/network/pc5524/en/CLI/PDF/en_cli.pdf

     

     

    Hope this helps,

    Get Support on Twitter @DellCaresPro

    Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)

  • Thanks for your input Willy M-

    I had read the help links associated with those settings, but with so many variables it seems very hit and miss to test with.I'm only piloting 3 ports with .1x but it is my production network at this time after working out the other settings in a lab environment. I’ll forge ahead but if anyone has some starting point suggested settings for two Radius serves on a fast LAN connection I’d love to know what worked- either in a round robin fashion or just fault tolerant. I’ll update any progress I make. Thanks

  • This turned out to be that stopping the IAS service (as I was doing to test) is not enough to cause a failover- the server must actually be non-pingable or truly down. When I shut it down completely it failed over.

    This means that if the IAS service stops or is stopped inadvertently- no fail over and no access. To protect against this we setup our monitoring software to check the two IAS servers IAS service is running

    I don’t know that it played a role but the settings I used were:

    Default Retries (1-10)    4

    Default Timeout for Reply (1-30)  (Sec)   1

    Default Dead Time (0-2000)  (Min)   10 (to allow reboots for updates etc)

    Default Key String (0-128 Characters)    

    Source IPv4 Address    

    Source IPv6 Address   (X:X:X:X::X)  

  • Thank you very much for sharing with the community what resolved this issue, I am sure someone in the future will find this very helpful. We are glad to hear you got things working.

    Cheers!

    Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)