PC 5548 Failover Radius IAS not working with 802.1x
Hi- I’m looking for some help or leads to help me with this.
Clients can authorize with either server IAS1 or IAS2, but if client authorizes on IAS1 and then re-authentictes (ie re-docks) while IAS1 is down, IAS2 has no connection attempt recorded and the client’s security log states
A request was made to authenticate to a wired network.
Security ID: host/1x.mydomain.com
Account Name: -
Account Domain: -
Logon ID: 0x0
Name: Intel(R) 82579LM Gigabit Network Connection
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x40420110
Logs from switch record (with my comments) –start at bottom
2147482623 07~May~2012 16:07:17 Warning %STP-W-PORTSTATUS: gi1/0/24: STP status Forwarding
2 2147482624 07~May~2012 16:06:47 Info %LINK-I-Up: gi1/0/24
I then plug cable back in but there is no corresponding log entry on the IAS2 server so I don’t believe it is contacted
3 2147482625 07~May~2012 16:06:47 Warning %SEC-W-PORTUNAUTHORIZED: Port gi1/0/24 is unAuthorized
4 2147482626 07~May~2012 16:06:21 Warning %LINK-W-Down: gi1/0/24
I then unplug cable and disable IAS service on IAS1
5 2147482627 07~May~2012 16:04:06 Warning %STP-W-PORTSTATUS: gi1/0/24: STP status Forwarding
6 2147482628 07~May~2012 16:03:41 Info %SEC-I-PORTAUTHORIZED: Port gi1/0/24 is Authorized
7 2147482629 07~May~2012 16:03:36 Info %LINK-I-Up: gi1/0/24
Section above records successful auth with IAS1
The Dell 5548 switch (firmware 220.127.116.11 ) has both IAS servers specified and I’ve tried varying priority settings on the configuration of each- both at zero or one at zero and the other at 100 as I’m not clear what that should be set to for fault tolerance
The basic setup is Domain with Win2003 IAS servers with self signed certs pushed out via GPO so that it ends up in the trusted root certificate authorities computer cert store. I’ve tried with IAS1’s cert on both the IAS servers or unique certs for each server for the MS-CHAP V2 PEAP and allow policy set for domain computers
Clients WIN7 Pro 64 configured to use computer authentication and verify certs
IAS failover works fine between these servers for other purposes such as VPN access
And remember PC’s will auth to both IAS servers- just not switch between them when one is down
Thanks for reading
This turned out to be that stopping the IAS service (as I was doing to test) is not enough to cause a failover- the server must actually be non-pingable or truly down. When I shut it down completely it failed over.
This means that if the IAS service stops or is stopped inadvertently- no fail over and no access. To protect against this we setup our monitoring software to check the two IAS servers IAS service is running
I don’t know that it played a role but the settings I used were:
Default Retries (1-10) 4
Default Timeout for Reply (1-30) (Sec) 1
Default Dead Time (0-2000) (Min) 10 (to allow reboots for updates etc)
Default Key String (0-128 Characters)
Source IPv4 Address
Source IPv6 Address (X:X:X:X::X)
Have you tried implementing any of these features?
– Number of Retries (1-10) — Enter the number of requests sent to the
RADIUS server before a failure occurs.
Use the radius-server timeout Global Configuration mode command to set
the time interval during which the device waits for a server host to reply. Use
the no form of this command to restore the default configuration.
– Timeout for Reply (1-30) — The amount of the time in seconds that
the device waits for an answer from the RADIUS server before retrying
the query, or switching to the next server.
Use the radius-server deadtime Global Configuration mode command to
configure the time interval during which unavailable RADIUS servers are
skipped over by transaction requests. This improves RADIUS response time
when servers are unavailable. Use the no form of this command to restore the
– Dead Time (0-2000) — The amount of time (in minutes) that a
RADIUS server is bypassed for service requests.
They are discussed with CLI examples starting on page 252 of the CLI User Guide.
55xx CLI User Guide:
Hope this helps,
Get Support on Twitter @DellCaresPro
Download the Dell Quick Resource Locator app today to access PowerEdge support content on your mobile device! (iOS, Android, Windows)
Thanks for your input Willy M-
I had read the help links associated with those settings, but with so many variables it seems very hit and miss to test with.I'm only piloting 3 ports with .1x but it is my production network at this time after working out the other settings in a lab environment. I’ll forge ahead but if anyone has some starting point suggested settings for two Radius serves on a fast LAN connection I’d love to know what worked- either in a round robin fashion or just fault tolerant. I’ll update any progress I make. Thanks
Thank you very much for sharing with the community what resolved this issue, I am sure someone in the future will find this very helpful. We are glad to hear you got things working.