Security

Reply
New Contributor
Posts: 5
Registered: ‎09-22-2014

Clearpass and Cisco switch intgration

We have a publisher and subscriber setup where publlisher is in DC and subscriber is in branch office. They are connected over mpls. Subscriber is a primary radius server for all cisco switches. Publisher IP address is also configured as a backup radius server. However we have seen some switches sends radius requests to back up radius server (publisher) even when subscriber is up and running. which caues mpls link utilization. Please help, here is the switch configuration.

 

ip device tracking
aaa new-model
aaa authorization network default local group radius
radius-server vsa send authentication
radius-server host <CPPM IP> auth-port 1812 acct-port 1813 key <secret key>
radius-server host <CPPM IP> key 7 <secret key>
radius-server host <CPPM IP> key 7 <secret key>
radius-server retry method reorder
radius-server retransmit 3
radius-server timeout 15
radius-server deadtime 15
aaa authentication dot1x default group radius local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
!
aaa server radius dynamic-author
client <CPPM IP> server-key <secret key>

port 3799
auth-type all
!
ip access-list extended CPG
deny tcp any host <CPPM IP>
permit tcp any any
!
interface GigabitEthernet1/0/12
switchport access vlan <VLAN>
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 2
dot1x max-req 2
dot1x timeout supp-timeout 20
spanning-tree portfast
!

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Clearpass and Cisco switch intgration

You first need to find out why the Cisco switch chooses to send information to the publisher.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 5
Registered: ‎09-22-2014

Re: Clearpass and Cisco switch intgration

Hi Joseph,

Thanks for the reply..

I am suspecting that the switch declares primary server as dead so directs requests to back up servers. Is there any way to check why it declares the primary server as dead?

Is above configured timeout intervals are ok?

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Clearpass and Cisco switch intgration

Honestly, it depends on your network.  To me that looks reliable enough, but the question is, what is the bandwidth on your circuit?  You would have to look at debugging on the Cisco Switch to determine why it is making that decision.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: