Solved: Re: IC-4500- radius issues

mema_ · ‎11-15-2011

Hi guys,

Can anyone provide some ideea with the following issue?

I have configured a cluster is IC 4500 and followed all the steps to use MAC auth bypass. My problem is that after all the configuration i had no connectivity --it proved that the infranet controller is not responding to Radius Clients.

I get the same message with connection timed out.

Here is my configuration for the radius from the only [at the moment configured switch]

ip radius source-interface Vlan144
aaa authentication dot1x default group radius
aaa authorization network default group radius local none
radius-server host 10.10.2.122 auth-port 1812 acct-port 1813
radius-server host 10.10.2.121 auth-port 1812 acct-port 1813
radius-server key <key>

my test was [on the sw]

test aaa group radius username password legacy

Result:

Attempting authentication test to server-group radius using radius

Nov 15 17:50:20: RADIUS: Pick NAS IP for u=0x2A90F00 tableid=0 cfg_addr=0.0.0.0
Nov 15 17:50:20: RADIUS: ustruct sharecount=1
Nov 15 17:50:20: Radius: radius_port_info() success=0 radius_nas_port=1
Nov 15 17:50:20: RADIUS(00000000): Send Access-Request to 10.10.2.122:1812 id 21645/124, len 60
Nov 15 17:50:26: RADIUS: Retransmit to (10.10.2.122:1812,1813) for id 21645/124
Nov 15 17:50:32: RADIUS: Retransmit to (10.10.2.122:1812,1813) for id 21645/124
Nov 15 17:50:38: RADIUS: Retransmit to (10.10.2.122:1812,1813) for id 21645/124
Nov 15 17:50:43: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.10.2.122:1812,1813 is not responding.
Nov 15 17:50:43: RADIUS: Fail-over to (10.10.2.121:1812,1813) for id 21645/124
Nov 15 17:50:43: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.10.2.122:1812,1813 has returned.
Nov 15 17:50:49: RADIUS: Retransmit to (10.10.2.121:1812,1813) for id 21645/124

Meanwhile i had the tcp dump in place in the ic itself and the results are:

ethertype IPv4 (0x0800), length 86: 10.10.2.73.62729 > 10.10.2.122.1645: RADIUS, Access Request (1), id: 0x02 length: 44

and it keeps repeating.

Anyone has some idea how to fix it?

I will appreaciate any help as right now this is stoping everything.

Thank you,

Mihai M

Later edit: I specifiy the the UAC has configured both interfaces [internal and external]. Currently i am trying to connect on the external interface [as my internal one has an ip not known in the MPLS cloud of my provider].

I specify this because i have found

"he Infranet Controller does not allow outbound connections on the external interface. (44469)" ---is it reffering to radius connections also?

apaul_ · ‎11-16-2011

Hi,

Infranet controller listens for radius traffic only on the internal interface.

Hence radius traffic need to be send to the internal interface.

For most deployment scenarios, it is recommended to use the internal port.

The internal port, also known as the internal interface, handles all LAN requests and listens for authentication requests. Use the internal port for connections to the Infranet Enforcer, 802.1X RADIUS clients, and authentication servers. You can also use the external port for management of the Infranet Controller admin console.

Hope this helps.

View solution in original post

apaul_ · ‎11-16-2011

Hi,