04-01-2019 08:27 AM
we have a clearpass server per location. and for the failure we take the provisioning cluster.
so the config on the switch is:
(126.96.36.199 for clearpass in site and 188.8.131.52 for clearpass cluster)
radius-server host 184.108.40.206 key "here-is-my-key"
radius-server host 220.127.116.11 dyn-authorization
radius-server host 18.104.22.168 time-window 0
radius-server host 22.214.171.124 key "here-is-my-key"
radius-server host 126.96.36.199 dyn-authorization
radius-server host 188.8.131.52 time-window 0
aaa accounting update periodic 3
aaa accounting network start-stop radius
aaa authentication port-access eap-radius
aaa port-access authenticator
aaa port-access mac-based a1 addr-limit 2
aaa port-access authenticator a1 client-limit 2
aaa port-access authenticator a1
aaa port-access mac-based a1
so i have a pc on a1 and it works with clearpass perfect
but if I simulate a failover of 184.108.40.206 only mac-authentication works
for 802.1x the error message comes: did not complete eap transaction
I have tested a lot and found the following out:
if I delete 220.127.116.11 and only 18.104.22.168 is in the list also works clearpass (so it is not the access to 22.214.171.124)
if I then re-enter the 126.96.36.199 as the first radius server and make a failover it works too!
So I summarize: if i simulate a failover for 188.8.131.52 server and before never made a connection to 184.108.40.206, it does not work!
have now after the weekend again a failover tested on the same switch and the error was there again. what the switch notices seem to be lost after a time .. radius certificate?
what goes wrong when switching the server on the switch?
someone had the mistake?
Solved! Go to Solution.