cancel
Showing results for 
Search instead for 
Did you mean: 

IVE communication with RADIUS backup authentication server

SOLVED
Highlighted
New Contributor

IVE communication with RADIUS backup authentication server

 

Guys,

 

We have configured RADIUS servers on our SA6500's as primary & secondary. And this set-up works well when IVE doesn't get a response from primary server at all but the problem ariese when services at primary server gets failed and it continues to send "reject-requests" to IVE. This leads to outage sometimes as it doesn't automatically fails over to secondary and we have to manually force secondary as primary, defeating whole purpose of having a back-up server in first place.

 

Any solution on IVE box for this?

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Super Contributor

Re: IVE communication with RADIUS backup authentication server

This sounds like the IVE will not be able to do the failover for this situation.

 

Failover is checking to see if there is a response from the primary server and when there is no response to use the secondary server.

 

In this case you are saying there IS a response, the response is just always to reject the login.  There is no way for the IVE to tell if the reject is a correct or incorrect answer, that is why we are sending the request in the first place.

 

You should check the documenation on your RADIUS server.  It sounds like your server is configured to send a reject to all requests during certain failure modes.  Probably when the RADIUS cannot reach another server where it is trying the credentials.

 

You will want to change this setting to be no response instead of reject.  Then the IVE will use the next server.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

View solution in original post

4 REPLIES 4
Highlighted
Super Contributor

Re: IVE communication with RADIUS backup authentication server

this is working as designed,

The failover will happen when the service and port is unavailable on the primary.

Regads,

Jay

Highlighted
New Contributor

Re: IVE communication with RADIUS backup authentication server

Thanks Guys. We tried using LB as solution but that is not recommended either. Have asked our RADIUS admins to use

NAC as they need to identify service failure and fail-over as a part of clusteing.

Highlighted
Contributor

Re: IVE communication with RADIUS backup authentication server

Hi, we had exactly the same issue 2 weeks ago when our Primary auth server was in a hung state and was therefore still accepting the requests. We also found no fix on the IVE for this, and instead had to fix it from the auth server side.

Thanks

Natasha

Highlighted
Super Contributor

Re: IVE communication with RADIUS backup authentication server

This sounds like the IVE will not be able to do the failover for this situation.

 

Failover is checking to see if there is a response from the primary server and when there is no response to use the secondary server.

 

In this case you are saying there IS a response, the response is just always to reject the login.  There is no way for the IVE to tell if the reject is a correct or incorrect answer, that is why we are sending the request in the first place.

 

You should check the documenation on your RADIUS server.  It sounds like your server is configured to send a reject to all requests during certain failure modes.  Probably when the RADIUS cannot reach another server where it is trying the credentials.

 

You will want to change this setting to be no response instead of reject.  Then the IVE will use the next server.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

View solution in original post