802.1x switch configuration for wired authentication:
aaa
new-model
!
aaa
authentication login default group radius enable local
aaa
authentication dot1x default group radius
aaa
authorization exec default group radius
aaa
authorization network default group radius
aaa
accounting exec default start-stop group radius
!
dot1x
system-auth-control
!
radius-server
host 10.10.0.17 auth-port 1812 acct-port 1813 key <PASSWORD>
radius-server
host 10.20.0.29 auth-port 1812 acct-port 1813 key <PASSWORD>
radius-server vsa send accounting
radius-server
vsa send authentication
|
And the port configuration:
interface GigabitEthernetXXX
switchport mode access
switchport nonegotiate
authentication port-control auto
dot1x pae authenticator
|
Every time a client connect to the switch port he must
authenticate before he can send traffic through this port. The authentication
occurs through the first configured server – 10.10.0.17, and only if this
server fails it will switch to the second.
The NAS-switch IP is 10.30.0.128.
Now we encounter a problem were the switchover takes too
much time and some of the
clients wasn’t able to authenticate in reasonable
time.
The solution is to change the timeout and retries:
radius-server
retransmit 2
radius-server
timeout 2
|
This will dictate the switch to make 2 retries with 2
seconds timeout to the primary server and then switch to the secondary.
Here is the output:
001242:
Jun 1 13:59:34.570: %AUTHMGR-5-START:
Starting 'dot1x' for client (00b5.6d01.89b9) on Interface Gi0/33
AuditSessionID 0A1402C60000001500E52C27
SW-TEST(config-if)#
001243:
Jun 1 13:59:34.587:
RADIUS/ENCODE(00000018):Orig. component type = DOT1X
001244:
Jun 1 13:59:34.587: RADIUS(00000018):
Config NAS IP: 10.30.0.128
001245:
Jun 1 13:59:34.587: RADIUS(00000018):
Started 2 sec timeout
SW-TEST(config-if)#
001246:
Jun 1 13:59:36.566: RADIUS(00000018):
Request timed out
001247:
Jun 1 13:59:36.566: RADIUS: Retransmit
to (10.10.0.17:1812,1813) for id 1645/74
001248: Jun 1 13:59:36.566: RADIUS(00000018): Started 2
sec timeout
SW-TEST(config-if)#
001249:
Jun 1 13:59:38.596: RADIUS(00000018):
Request timed out
001250:
Jun 1 13:59:38.596: RADIUS: Retransmit
to (10.10.0.17:1812,1813) for id 1645/74
001253:
Jun 1 13:59:40.694: RADIUS: Fail-over
to (10.20.0.29:1812,1813) for id 1645/74
001254:
Jun 1 13:59:40.694: RADIUS: authenticator 2A 97 84 16 90 7C C0 5B - 47
FD BA E2 90 43 14 8B
001255:
Jun 1 13:59:40.694: RADIUS: User-Name [1] 15
"host/XXX"
001256: Jun 1 13:59:40.694: RADIUS: Service-Type [6]
6 Framed [2]
001257:
Jun 1 13:59:40.694: RADIUS: Framed-MTU [12] 6
SW-TEST(config-if)# 1500
001258:
Jun 1 13:59:40.694: RADIUS: Called-Station-Id [30]
19
"00-1E-F6-11-B4-21"
001259:
Jun 1 13:59:40.694: RADIUS: Calling-Station-Id [31]
19
"00-B5-6D-01-89-B9"
001260:
Jun 1 13:59:40.694: RADIUS: EAP-Message [79]
20
001261:
Jun 1 13:59:40.694: RADIUS: 02 01 00 12 01 68 6F 73 74 2F 55 2D 53 79
73 74 65 6D [ host/U-System]
001262:
Jun 1 13:59:40.694: RADIUS: Message-Authenticato[80] 18
001263:
Jun 1 13:59:40.694: RADIUS: 59 E7 07
SW-TEST(config-if)#
04 B1 7F 01 4C 18 F1 0D B5 9F D4 D0 9E [ YL]
|
We can see that after two retries the switch failover to the
secondary server with total time of 4 seconds instead of 15 seconds (default
settings 3x retries with 5 seconds timeout).
No comments:
Post a Comment