802.1x authentication fail with Secondary SC Server

Publication Date:  2016-02-03 Views:  736 Downloads:  12
Issue Description

Current Setup Details:

  • Agile Controller is Deployed in HA mode with two SC Server acting as Active / Standby and Single SM Server for Management.
  • Customer has deployed Agile Controller as RADIUS Server in their Network Infrastructure for Authenticating, Accounting and controlling their End Users access.
  • Microsoft SQL Server 2012 has been deployed on both SC Servers with “AlwaysOn Availability Group” feature of SQL for high availability of the Database.
  • S12708 Switch has been deployed as RADIUS Client responsible to get both LAN & WLAN Users authenticated and applies access policies for them.
  • Any Office is being used on End User PC to enforce 802.1x authentication and apply Security Policies.
  • When Primary SC Server is up the 802.1x authentication is working fine.


The Issue:

  • Authentication Failed Error showing on Any Office when Primary SC Server of Agile Controller is down.
    Any Office showing following error:
    "802.1x authentication failed: EAP is disabled for 802.1x authentication on the switch.”
Alarm Information

Error Messege

Any Office showing following error:
"802.1x authentication failed: EAP is disabled for 802.1x authentication on the switch.”

Handling Process
Troubleshooting Steps:
- Re-verified the configurations on the Switch, Agile Controller and Any Office Client, it was all correct.
- Checked the services on Secondary SC Server. All services were running.
- Tested connectivity from RADIUS Client (S12708 Switch) to SC Server. No problem with connectivity.
- Debug on Core Switch and found that it is properly receiving authentication request from Client PC and forwarding it to Secondary SC server after failing 3 tries with Primary SC Server.
- Run a packet capture and found that the Secondary SC Server is receiving authentication request and responding as well.
- Finally from packet capture we found that Any Office client is getting timed out before receiving the response packet from Secondary SC Server.
Root Cause

Root Cause:

By default - RADIUS server retransmit is 3 times and timeout is 3 seconds.
radius-server retransmit 3 timeout 3
Core Switch was failing 3 times with Primary SC Server before sending the request to Secondary SC Server, this cause delay of 9 Second.
Any Office default timeout is 10 seconds. Hence before receiving the response from Secondary SC Server it was getting timed out and authentication was failing.

Solution

Solution:

Reduced the number of try RADIUS client attempts by following configuration change on Core Switch.
radius-server retransmit 1 timeout 3

Suggestions
RADIUS Template Configuration before change:
radius-server template XYZ
radius-server shared-key cipher xxxxxxx
radius-server authentication X.X.X.X 1812 source ip-address Z.Z.Z.Z weight 80
radius-server authentication Y.Y.Y.Y 1812 source ip-address Z.Z.Z.Z weight 40
radius-server accounting X.X.X.X 1813 source ip-address Z.Z.Z.Z weight 80
radius-server accounting Y.Y.Y.Y 1813 source ip-address Z.Z.Z.Z weight 40

RADIUS Template Configuration after change:
radius-server template XYZ
radius-server shared-key cipher xxxxxxx
radius-server authentication X.X.X.X 1812 source ip-address Z.Z.Z.Z weight 80
radius-server authentication Y.Y.Y.Y 1812 source ip-address Z.Z.Z.Z weight 40
radius-server accounting X.X.X.X 1813 source ip-address Z.Z.Z.Z weight 80
radius-server accounting Y.Y.Y.Y 1813 source ip-address Z.Z.Z.Z weight 40
radius-server retransmit 1 timeout 3

END