Security

 View Only
  • 1.  RADIUS AAA Auth Server - Out-of-Service

    Posted Apr 15, 2019 09:07 AM

    This is purely an academic question to better understand how to configure and monitor failed radius servers. 

     

    I would like to get a better understanding of the configuration options to mark a RADIUS server out-of-service. I have a AAA Server Group configured with two Radius servers. One real, one fake. The group is configured for Load-Balancing. When performing authentications, the controller does not seem to mark the fake server out-of-service and continus to load balance authentications to it. I see messages in the controller log stating "Authentication Server Out Of Service while serving request" after it attempts to send an authentication and it times out. It however will continue to attempt to send authentications to the fake server. The authentication does eventually get balanced to the real server. 

     

    I never see the server marked out-of-service when using the "show aaa server-group" commands. 

     

    The Authentication Server Dead-Time is set to 10 minutes but it doesnt ever seem to enter the state where the timer starts. 

     

    I would expect that if the server is not responding, it should be marked out of service and no authentications should be sent until it is... 1. Reachable again. 2. Manually brought back into service. 3. Authentication Server Dead-time expires. 

     

    What am I missing?

     

    This is an AOS 8.4 Cluster. 

     

    Thanks! 

     

     

     

     



  • 2.  RE: RADIUS AAA Auth Server - Out-of-Service

    Posted Apr 15, 2019 09:32 AM

    I don't know of your exact setup, but even if a server is marked out of service, it is tested periodically in an attempt to put it back in service.  When those attempts fail, it should always use the server that is in service to authenticate after that.

     

     



  • 3.  RE: RADIUS AAA Auth Server - Out-of-Service

    Posted Apr 15, 2019 09:34 AM

    What command do you use to verify a server is marked out of service?

     

    show aaa server-group

     

    That does not show me the server ever being taken out of service yet it is indeed down. 



  • 4.  RE: RADIUS AAA Auth Server - Out-of-Service
    Best Answer

    Posted Apr 15, 2019 10:53 AM

    I am not sure that a server is marked out of service when load balancing is configured.  

     

    If you enable notification logging on authmgr, you should see the out of service messages.

     

    First configure logging on the MM at the proper context:

     

    config t
    logging security process authmgr level informational
    wr mem

     

    Then after a few seconds, go to the MD and confirm that logging has been enabled for authmgr:

     

    (aruba7640) # show logging level verbose 
    
    LOGGING LEVELS
    --------------
    Facility  Level          Sub Category  Process
    --------  -----          ------------  -------
    arm       warnings       N/A           N/A
    network   warnings       N/A           N/A
    security  warnings       N/A           N/A
    security  informational  N/A           authmgr
    security  warnings       ids           N/A
    security  warnings       ids-ap        N/A
    system    warnings       N/A           N/A
    user      warnings       N/A           N/A
    wireless  warnings       N/A           N/A

    Then on the MD, do a "aaa user delete" to remove all users to trigger authentication

     

     

    Next, look for "Taking and Bringing" messages in Authmgr to see your server bring brought in and out of service:

     

     

     

    (aruba7005) #show log security all | include Taking,Bringing
    Apr 15 09:30:29 authmgr[20731]: <124015> <20731> <NOTI> |authmgr| Bringing Server ClearPass-DUD back in service.
    Apr 15 09:31:27 authmgr[20731]: <124014> <20731> <NOTI> |authmgr| Taking Server ClearPass-DUD out of service for 10 mins
    Apr 15 09:52:09 authmgr[20731]: <124015> <20731> <NOTI> |authmgr| Bringing Server ClearPass-DUD back in service.
    Apr 15 09:53:01 authmgr[20731]: <124014> <20731> <NOTI> |authmgr| Taking Server ClearPass-DUD out of service for 10 mins

    You can also do a "show aaa load-balance statistics server-group <server group>" to see the requests in each server group to see what is being used.