We have a publisher and subscriber setup where publlisher is in DC and subscriber is in branch office. They are connected over mpls. Subscriber is a primary radius server for all cisco switches. Publisher IP address is also configured as a backup radius server. However we have seen some switches sends radius requests to back up radius server (publisher) even when subscriber is up and running. which caues mpls link utilization. Please help, here is the switch configuration.
ip device tracking
aaa new-model
aaa authorization network default local group radius
radius-server vsa send authentication
radius-server host <CPPM IP> auth-port 1812 acct-port 1813 key <secret key>
radius-server host <CPPM IP> key 7 <secret key>
radius-server host <CPPM IP> key 7 <secret key>
radius-server retry method reorder
radius-server retransmit 3
radius-server timeout 15
radius-server deadtime 15
aaa authentication dot1x default group radius local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
!
aaa server radius dynamic-author
client <CPPM IP> server-key <secret key>
port 3799
auth-type all
!
ip access-list extended CPG
deny tcp any host <CPPM IP>
permit tcp any any
!
interface GigabitEthernet1/0/12
switchport access vlan <VLAN>
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 2
dot1x max-req 2
dot1x timeout supp-timeout 20
spanning-tree portfast
!