Wireless Access

I'm looking for an explanation or at least a pointer in the right direction to just what the radius statistics fields really mean.

I issue the command:

show aaa authentication-server radius statistics

When looking at the results 3 fields come up that I have a question about.

Tmout

Tot Rq

Tot Rsp

I took these to mean:

Tmout = Timeout

Tot Rq = Total Requests

Tot Rsp = Total Responses

I also made the assumption (incorreclty) that:       Tot Rq - Tot Rsp = requests that don't get answered or timeouts (Tmout).

But this does not appear to be the case.

Here's what I'm seeing (with several field being removed to make things fit):

RADIUS Server Statistics
------------------------
Server                 Tmout             AvgRspTm       Tot Rq          Tot Rsp            Rd Err            Uptime              SEQ
------                       -----                  --------              ------              -------                ------              ------                    ---
192.168.86.11        54                      1400             27525             27524                0                  3:9:2             1785/1784

I'm actually having an issue with timeouts to our Radius server and seeing periods where there are 100's of timeouts that don't ever seem to be reflected in the Radius Stats. So I started to monitor the Radius stats only to be confused by the vast difference in it's results vs syslog logging results.

Can anyone point me in the right direction?

I see total request is pretty much equal to total response which indicate most the radisu packets goes through fine.

Can you also post the config of show aaa authentication-server radius <radius name> by defualt we have the radius-time out set to 5 sec".

Could you also post the show aaa state configuration from controller ?

May we know the radius server in the back end ? and do we see errors or security log from server side?

show aaa server-group summary will tell you if the server goes out of service.

What is the max capacity of user count doing auth against the server ?

Thank you.

The timeout is set to 30 seconds and the Radius server is a Bradford Networks, Network Sentry. We will be getting rid of it in the near future and heading to Clearpass. But not soon enough.

show aaa authentication-server radius 192.168.86.11

RADIUS Server "192.168.86.11"
-----------------------------
Parameter Value
--------- -----
Host 192.168.86.11
Key ********
Auth Port 1812
Acct Port 1813
Retransmits 3
Timeout 30 sec
NAS ID N/A
NAS IP 192.168.86.8
Enable IPv6 Disabled
NAS IPv6 N/A
Source Interface N/A
Use MD5 Disabled
Use IP address for calling station ID Disabled
Mode Enabled
Lowercase MAC addresses Disabled
MAC address delimiter none
Service-type of FRAMED-USER Disabled

The command:

show aaa state configuration    

shows a huge ammount of timeouts(!). Will clearing the Radius statistics also clear out the Radius Server Timouts?

Authentication State
--------------------
Name Value
---- -----
Switch IP 192.168.86.10
Switch IPv6
Master IP 192.168.86.7
Switch Role local
Current/Max/Total IPv4 Users 1537/2937/456186
Current/Max/Total IPv6 Users 0/0/0
Current/Max/Total User Entries 1442/2438/719712
Current/Max/Total Stations 1319/2316/719712
Pending Station Deletes 123
Captive Portal Users 57
802.1x Users 0
VPN Users 0
MAC Users 1398
Stateful 802.1x Users 0
Tunneled users 0
Configured user roles 30
Configured session ACL 61
Configured destinations 34
Configured services 101
Configured Auth servers 5
Auth server in service 5
Radius server timeouts 49152

Successful authentications
--------------------------
Web   MAC    VPN    802.1x   Krb     RadAcct SecureID Stateful-802.1x Management
---        ---        ---        ------     ---         -------   --------     ---------------          ----------
0        650703  0            0         0            0           0              0                           0

Failed authentications
----------------------
Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
--- --- --- ------ --- ------- -------- --------------- ----------
0 0 0 0 0 0 0 0 0

Idled users = 379429
fast age = Disabled
per-user log = Enabled
Bandwith contracts = 2/152
IP takeovers = 0
Ping/SYN/Sess/CP attacks = 0/0/0/0

We are seeing this type of message (syslog) repeated over and over again:

Apr 22 14:19:01 2014 aruba-master authmgr[2004]: <121004> <WARN> <aruba-master 192.168.86.8> |aaa| RADIUS server 192.168.86.11--192.168.86.11-1812 timeout for client=e4:ce:8f:4e:4f:62 auth method MAC
Apr 22 14:19:01 2014 aruba-master authmgr[2004]: <121004> <WARN> <aruba-master 192.168.86.8> |aaa| RADIUS server 192.168.86.11--192.168.86.11-1812 timeout for client=64:b9:e8:f2:f3:99 auth method MAC
Apr 22 14:19:01 2014 aruba-master authmgr[2004]: <121004> <WARN> <aruba-master 192.168.86.8> |aaa| RADIUS server 192.168.86.11--192.168.86.11-1812 timeout for client=34:51:c9:03:d1:5d auth method MAC

etc... etc...

And the logging on the Bradford is a bit of a pain and not easy to cut and paste...

Thanks much for the output. Yes,I could notice good number of radius time outs.

Make sure you disable all debugging on the controller just in case of affecting stm /auth module busy on controller.

PCAP on Bradford server or involving bradford would be the better way to see logs on Bradford to see for no reponse or delay.

You can also open up a TAC case if bradford confirms no issues from server side to see the logs & pcap for radius from controller side.

Thank you.