The timeout is set to 30 seconds and the Radius server is a Bradford Networks, Network Sentry. We will be getting rid of it in the near future and heading to Clearpass. But not soon enough.
show aaa authentication-server radius 192.168.86.11
RADIUS Server "192.168.86.11"
-----------------------------
Parameter Value
--------- -----
Host 192.168.86.11
Key ********
Auth Port 1812
Acct Port 1813
Retransmits 3
Timeout 30 sec
NAS ID N/A
NAS IP 192.168.86.8
Enable IPv6 Disabled
NAS IPv6 N/A
Source Interface N/A
Use MD5 Disabled
Use IP address for calling station ID Disabled
Mode Enabled
Lowercase MAC addresses Disabled
MAC address delimiter none
Service-type of FRAMED-USER Disabled
The command:
show aaa state configuration
shows a huge ammount of timeouts(!). Will clearing the Radius statistics also clear out the Radius Server Timouts?
Authentication State
--------------------
Name Value
---- -----
Switch IP 192.168.86.10
Switch IPv6
Master IP 192.168.86.7
Switch Role local
Current/Max/Total IPv4 Users 1537/2937/456186
Current/Max/Total IPv6 Users 0/0/0
Current/Max/Total User Entries 1442/2438/719712
Current/Max/Total Stations 1319/2316/719712
Pending Station Deletes 123
Captive Portal Users 57
802.1x Users 0
VPN Users 0
MAC Users 1398
Stateful 802.1x Users 0
Tunneled users 0
Configured user roles 30
Configured session ACL 61
Configured destinations 34
Configured services 101
Configured Auth servers 5
Auth server in service 5
Radius server timeouts 49152
Successful authentications
--------------------------
Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
--- --- --- ------ --- ------- -------- --------------- ----------
0 650703 0 0 0 0 0 0 0
Failed authentications
----------------------
Web MAC VPN 802.1x Krb RadAcct SecureID Stateful-802.1x Management
--- --- --- ------ --- ------- -------- --------------- ----------
0 0 0 0 0 0 0 0 0
Idled users = 379429
fast age = Disabled
per-user log = Enabled
Bandwith contracts = 2/152
IP takeovers = 0
Ping/SYN/Sess/CP attacks = 0/0/0/0
We are seeing this type of message (syslog) repeated over and over again:
Apr 22 14:19:01 2014 aruba-master authmgr[2004]: <121004> <WARN> <aruba-master 192.168.86.8> |aaa| RADIUS server 192.168.86.11--192.168.86.11-1812 timeout for client=e4:ce:8f:4e:4f:62 auth method MAC
Apr 22 14:19:01 2014 aruba-master authmgr[2004]: <121004> <WARN> <aruba-master 192.168.86.8> |aaa| RADIUS server 192.168.86.11--192.168.86.11-1812 timeout for client=64:b9:e8:f2:f3:99 auth method MAC
Apr 22 14:19:01 2014 aruba-master authmgr[2004]: <121004> <WARN> <aruba-master 192.168.86.8> |aaa| RADIUS server 192.168.86.11--192.168.86.11-1812 timeout for client=34:51:c9:03:d1:5d auth method MAC
etc... etc...
And the logging on the Bradford is a bit of a pain and not easy to cut and paste...