Hi
we have a clearpass server per location. and for the failure we take the provisioning cluster.
so the config on the switch is:
(1.1.1.1 for clearpass in site and 2.2.2.2 for clearpass cluster)
radius-server host 1.1.1.1 key "here-is-my-key"
radius-server host 1.1.1.1 dyn-authorization
radius-server host 1.1.1.1 time-window 0
radius-server host 2.2.2.2 key "here-is-my-key"
radius-server host 2.2.2.2 dyn-authorization
radius-server host 2.2.2.2 time-window 0
aaa accounting update periodic 3
aaa accounting network start-stop radius
aaa authentication port-access eap-radius
aaa port-access authenticator
aaa port-access mac-based a1 addr-limit 2
aaa port-access authenticator a1 client-limit 2
aaa port-access authenticator a1
aaa port-access mac-based a1
so i have a pc on a1 and it works with clearpass perfect
but if I simulate a failover of 1.1.1.1 only mac-authentication works
for 802.1x the error message comes: did not complete eap transaction
I have tested a lot and found the following out:
if I delete 1.1.1.1 and only 2.2.2.2 is in the list also works clearpass (so it is not the access to 2.2.2.2)
if I then re-enter the 1.1.1.1 as the first radius server and make a failover it works too!
So I summarize: if i simulate a failover for 1.1.1.1 server and before never made a connection to 2.2.2.2, it does not work!
have now after the weekend again a failover tested on the same switch and the error was there again. what the switch notices seem to be lost after a time .. radius certificate?
what goes wrong when switching the server on the switch?
someone had the mistake?