Meraki

Community

Radius Failover - Only limited to connectivity to server?

JDKGeetarz
New here
2 weeks ago
2 weeks ago

Radius Failover - Only limited to connectivity to server?

In the process of implementing 802.1x in my organization and have setup several radius servers as failover.  We ran into an issue with the configuration of one of our radius servers.  The server was still on, pingable, was passing authentication but was sending back bad password errors.  I believe since it was still reachable, it didn't failover and possibly wouldn't since it was sending back a bad password error. In the documentation, it says if it were to become unreachable, it would failover.

 

"Where the available server with higher priority will be used (priority 1 is the highest). If Server 1 were to become unreachable, Server 2 would become active, and so on."

 

Say one of our sysadmin's breaks a cert update or rebuilds it and the configuration is wrong.  Would this be criteria to allow at least an attempt with the 2nd radius server? 

Labels:
0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The RADIUS server has not "failed" in the eyes of the client (i.e., switch or access point) if it responds that the user has entered the wrong password.  This is a 100% legit, normal result.

 

A RADIUS client will not randomly attempt to connect to other RADIUS servers in the hope that a different server will grant the user permission to the network.

 

>Say one of our sysadmin's breaks a cert update or rebuilds it and the configuration is wrong

 

No.  It would only fail over if there was no response.

Mloraditch
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

It's going to depend on how exactly the server responds when it's broken. You can read about how radius testing works here: 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Alert_-_Recent_802.1X...
And some detail on MR failover

https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS_Failover_and_Retry_Details

The server would need to not respond at all for failover to occur as I've seen and understand it.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Pavithran_Che
Here to help
2 weeks ago
2 weeks ago

I think then we configure a round robin instead strict order ... Atleast one of radius server should be able to authenticate the client request. It will reduce the impact .. 

Brash
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

As stated above, the client will attempt to reach the RADIUS server 3 times, each with a 2 second timeout.

If there is no reply to these 3 attempts (6 seconds) it will failover to the next server.

 

If the server replies however (as in your case), it is counted as online and therefore no failover will occur.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.