Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RADIUS servers and Meraki

RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 23 2019 8:34 AM
‎Sep 23 2019 8:34 AM

RADIUS servers and Meraki

Hi , 


I have a simple question. 

 

Let's say you have .1X enabled on your switch with 2 Radius servers ( RAD 1 and RAD 2 ). 

 

RAD 1 goes down , how will the switch notice that RAD 1 is down. 

 

From what I have heard , the ''keep-alive'' timer is from 0-24 hours. 

 

Since there is no reauth timer on the MS series, how will the stack notice that RAD 1 is down and forward the requests to RAD 2 ? 


Thanks 

0 Kudos
Subscribe
7 Replies 7
NolanHerring
Kind of a big deal
‎Sep 23 2019 10:02 AM
‎Sep 23 2019 10:02 AM

Here is the process for the radius requests:

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Issue_Resolution_Guide

This is specifically saying for MR, but I have a feeling it also applies for MS:

https://documentation.meraki.com/MR/MR_Splash_Page/RADIUS_Failover_and_Retry_Details

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Subscribe
In response to NolanHerring
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 23 2019 10:05 AM
‎Sep 23 2019 10:05 AM

Ahhhh ! I was searching for MS ! This might be indeed the same thing. I will read that ! Thanks !
0 Kudos
Subscribe
In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 23 2019 10:30 AM
‎Sep 23 2019 10:30 AM

This is also enabled : 

Radius testing

If enabled, Meraki devices will periodically send Access-Request messages to these RADIUS servers using identity 'meraki_8021x_test' to ensure that the RADIUS servers are reachable.

 

 

How often those packets are sent ?

Subscribe
In response to RaphaelL
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 23 2019 10:52 AM
‎Sep 23 2019 10:52 AM

Found the ''answer'' 

 

With RADIUS testing enabled, all RADIUS servers will be tested by every node at least once per 24 hours regardless of test result. If a RADIUS test fails for a given node it will be tested again every hour until a passing result occurs. A subsequent pass will mark the server reachable and clear the alert, returning to the 24 hour testing cycle.

 

 

24 hours , pretty long time to find that a radius server is down

0 Kudos
Subscribe
In response to RaphaelL
NolanHerring
Kind of a big deal
‎Sep 23 2019 11:47 AM
‎Sep 23 2019 11:47 AM

Well that depends, are you relying on the auto radius testing to be a monitoring tool for your radius server? Then I would agree 😃
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
Subscribe
In response to NolanHerring
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 23 2019 11:56 AM
‎Sep 23 2019 11:56 AM

Let's say we have a failover test with our Radius during the night and I'm not on-site ( to provoke a reauth or a new radius auth ) 

 

I want my switches to realise quickly that RAD 1 is down , but I'm not sure how. I was relaying on the auto radius testing , but the timeout is too long ( 24 hours ). 

 

What would you guys suggest ?  Change the order of the radius servers ? Use the ''test'' button ( which I had a hard time in the past ) ?

 

Thanks 

0 Kudos
Subscribe
In response to RaphaelL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 23 2019 1:35 PM
‎Sep 23 2019 1:35 PM

My understanding is the MS will try the first RADIUS server.  If there is no response it will retry after 2s.  I believe it tries three times.  If no response after that it marks that RADIUS server as dead for a while, and then moves onto the next RADIUS server.

I'm not 100% percent on this.

 

This document for splash pages has a similar description.

https://documentation.meraki.com/MR/MR_Splash_Page/RADIUS_Failover_and_Retry_Details#Retry_Attempts 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.