Wired

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon

Could it be that your second RADIUS service may not be responding, or has a wrong shared secret or so?
If you run the command "show radius authentication" from the ArubaOS Switch, you can see how many RADIUS request have gone where and how many responses, rejects, accepts, etc there are per server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 11, 2023 05:45 PM
From: Nomis8849
Subject: Radius Configuration 2930M

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon

Hi Herman, I have run the suggested command and it returned results below I have also exported the NPS configuration and it is using the same secret as the primary Radius 

NAS Identifier : SSSR-ST01
Invalid Server Addresses : 0
UDP/TCP
Server IP Addr        Port     Timeouts     Requests    Challenges     Accepts     Rejects
---------------              -------    ----------         ----------        ----------           ----------      ----------
172.16.0.10            1812     773              32720          29200            3289        6
172.16.1.10            1812    32                60                 52                  0               0

So I assume that the Dead time being 0 is not my issue 
Original Message:
Sent: Jan 20, 2023 08:46 AM
From: Herman Robers
Subject: Radius Configuration 2930M

Could it be that your second RADIUS service may not be responding, or has a wrong shared secret or so?
If you run the command "show radius authentication" from the ArubaOS Switch, you can see how many RADIUS request have gone where and how many responses, rejects, accepts, etc there are per server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 11, 2023 05:45 PM
From: Nomis8849
Subject: Radius Configuration 2930M

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon

It looks like none of the authentications on your secondary server complete (0 Accepts, 0 Rejects).

If you are using EAP-PEAP, EAP-TLS or other EAP methods that require a server certificate, do you have the same RADIUS Server certificate on both NPS servers? If the certificate differs and the one on the 1.10 is not trusted (that's what it looks like), the client will abort the authentication. With EAP-TLS it could also be the client certificate trust, that is not properly configured on the secondary server.

It can be more things, but I've had many issues properly debugging NPS. Logging is not always as clear as it could be.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 20, 2023 09:10 AM
From: Nomis8849
Subject: Radius Configuration 2930M

Hi Herman, I have run the suggested command and it returned results below I have also exported the NPS configuration and it is using the same secret as the primary Radius

NAS Identifier : SSSR-ST01
Invalid Server Addresses : 0
UDP/TCP
Server IP Addr        Port     Timeouts     Requests    Challenges     Accepts     Rejects
---------------              -------    ----------         ----------        ----------           ----------      ----------
172.16.0.10            1812     773              32720          29200            3289        6
172.16.1.10            1812    32                60                 52                  0               0

So I assume that the Dead time being 0 is not my issue 
Original Message:
Sent: Jan 20, 2023 08:46 AM
From: Herman Robers
Subject: Radius Configuration 2930M

Could it be that your second RADIUS service may not be responding, or has a wrong shared secret or so?
If you run the command "show radius authentication" from the ArubaOS Switch, you can see how many RADIUS request have gone where and how many responses, rejects, accepts, etc there are per server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 11, 2023 05:45 PM
From: Nomis8849
Subject: Radius Configuration 2930M

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon

Original Message:
Sent: 1/26/2023 6:19:00 AM
From: Herman Robers
Subject: RE: Radius Configuration 2930M

It looks like none of the authentications on your secondary server complete (0 Accepts, 0 Rejects).

If you are using EAP-PEAP, EAP-TLS or other EAP methods that require a server certificate, do you have the same RADIUS Server certificate on both NPS servers? If the certificate differs and the one on the 1.10 is not trusted (that's what it looks like), the client will abort the authentication. With EAP-TLS it could also be the client certificate trust, that is not properly configured on the secondary server.

It can be more things, but I've had many issues properly debugging NPS. Logging is not always as clear as it could be.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 20, 2023 09:10 AM
From: Nomis8849
Subject: Radius Configuration 2930M

Hi Herman, I have run the suggested command and it returned results below I have also exported the NPS configuration and it is using the same secret as the primary Radius

NAS Identifier : SSSR-ST01
Invalid Server Addresses : 0
UDP/TCP
Server IP Addr        Port     Timeouts     Requests    Challenges     Accepts     Rejects
---------------              -------    ----------         ----------        ----------           ----------      ----------
172.16.0.10            1812     773              32720          29200            3289        6
172.16.1.10            1812    32                60                 52                  0               0

So I assume that the Dead time being 0 is not my issue 
Original Message:
Sent: Jan 20, 2023 08:46 AM
From: Herman Robers
Subject: Radius Configuration 2930M

Could it be that your second RADIUS service may not be responding, or has a wrong shared secret or so?
If you run the command "show radius authentication" from the ArubaOS Switch, you can see how many RADIUS request have gone where and how many responses, rejects, accepts, etc there are per server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 11, 2023 05:45 PM
From: Nomis8849
Subject: Radius Configuration 2930M

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon

The switch is (probably) fine; this is an issue with the client which should trust both servers. Recommendation (with ClearPass) is to install the same RADIUS Server Certificate on all of you servers, specifically to avoid this issue.

You should have a look at the client (supplicant) configuration, more specific the server trust settings, and at the certificate(s) installed on your RADIUS server (NPS). Switches/APs are not involved in the (certificate) trust for 802.1X, they just relay authentication data between the authenticating client (supplicant) and your authentication server.

If you can't work with your Aruba/Microsoft partner or Aruba Support, you may check the Wireless #1 and #2 videos from this ClearPass Series to see how you would do the same with ClearPass. Certificates management would be very similar if you do the same with NPS.
​​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 27, 2023 03:25 AM
From: Nomis8849
Subject: Radius Configuration 2930M

Hi Herman,

 

I can confirm that the primary (0.10) and secondary (1.10)  Radius are using EAP and both have different certificates, according to the configuration on the NPS it is Protected EAP (PEAP) and Secure Password (EAP-MSCHAP V2), Also there are both using the same ports for authentication 1812,1645. I don't think this has been changed since we have Cisco Switches awhile back.

 

I sort of confirmed that that the 1.10 Radius server was working as at one point on One Switch I removed the 0.10 server and it started working again.

 

Now for the dumb question, is there a way to test both servers or how do I change it so the switch will trust both servers ??

 

Thanks Simon

Original Message:
Sent: 1/26/2023 6:19:00 AM
From: Herman Robers
Subject: RE: Radius Configuration 2930M

It looks like none of the authentications on your secondary server complete (0 Accepts, 0 Rejects).

If you are using EAP-PEAP, EAP-TLS or other EAP methods that require a server certificate, do you have the same RADIUS Server certificate on both NPS servers? If the certificate differs and the one on the 1.10 is not trusted (that's what it looks like), the client will abort the authentication. With EAP-TLS it could also be the client certificate trust, that is not properly configured on the secondary server.

It can be more things, but I've had many issues properly debugging NPS. Logging is not always as clear as it could be.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 20, 2023 09:10 AM
From: Nomis8849
Subject: Radius Configuration 2930M

Hi Herman, I have run the suggested command and it returned results below I have also exported the NPS configuration and it is using the same secret as the primary Radius

NAS Identifier : SSSR-ST01
Invalid Server Addresses : 0
UDP/TCP
Server IP Addr        Port     Timeouts     Requests    Challenges     Accepts     Rejects
---------------              -------    ----------         ----------        ----------           ----------      ----------
172.16.0.10            1812     773              32720          29200            3289        6
172.16.1.10            1812    32                60                 52                  0               0

So I assume that the Dead time being 0 is not my issue 
Original Message:
Sent: Jan 20, 2023 08:46 AM
From: Herman Robers
Subject: Radius Configuration 2930M

Could it be that your second RADIUS service may not be responding, or has a wrong shared secret or so?
If you run the command "show radius authentication" from the ArubaOS Switch, you can see how many RADIUS request have gone where and how many responses, rejects, accepts, etc there are per server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 11, 2023 05:45 PM
From: Nomis8849
Subject: Radius Configuration 2930M

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon

Good morning @Nomis8849 

I am not sure if you have already resolved this issue, I just wanted to provide some information that might be helpful for your case.

I have also been running several tests lately with Aruba Switches with Radius Server (NPS) authentication, and I do remember at some point I found an issue similar to the one you are describing.

Per the provided information, you are using the same Shared Key for both authenticating servers. I found this to be a problem at least in my case, but it got resolved in the moment I changed the Shared key for the second server to be something different. 

I used as a reference the HPE process below:

Configuring the switch for RADIUS authentication (hpe.com)

In it, you will notice that you will need to define the share keys as independent records when there are two different ones, but if you are using the same shared key for both servers you will need to set the global encryption key.

See the statement below found in the previously provided link:

"Use the global encryption key to support the two servers that use the same key. (For this example, assume that you did not configure these two servers with a server-specific key".

I hope this information is helpful,

Best Regards, 

Original Message:
Sent: Jan 11, 2023 05:45 PM
From: Nomis8849
Subject: Radius Configuration 2930M

We are having an issue with our Radius configuration on our 2930M switches, I think I have tracked down the issue but as I'm still teaching myself the Aruba switches, I was looking for a second/third opinion.

Our Setup: Aruba 2930M edges (WC.16.11.0006), we use Radius to set port VLAN assignment based on AD workstation group membership, and this does currently work but only if the primary (first listed) server is active, if it is off line then nothing happens, all configured ports, default to the configured Unauth VLAN.

Typical Port configuration:
interface 4/34
untagged vlan 51
aaa port-access authenticator
aaa port-access authenticator unauth-vid 51
aaa port-access controlled-direction in
spanning-tree admin-edge-port
spanning-tree bpdu-protection
exit

Radius configuration on Switch:
radius-server host 172.16.0.10 key "987654321123456789"
radius-server host 172.16.1.10 key "987654321123456789"

There is no other Radius configuration on the switch, If I do a Show Radius I get:

Status and Counters - General RADIUS Information

Dead RADIUS server are preceded by *

Deadtime (minutes) : 0 TLS Dead Time (minutes) : 0
Timeout (seconds) : 5 TLS Timeout (seconds) : 30
Retransmit Attempts : 3 TLS Connection Timeout (seconds) : 30
Global Encryption Key :
Dynamic Authorization UDP Port : 3799
Source IP Selection : Outgoing Interface
Tracking : Disabled
Request Packet Count : 3
Track Dead Servers Only : Disabled
Tracking Period (seconds) : 300
ClearPass Identity :

                                Auth     Acct      DM/    Time      |
Server IP Addr       Port      Port      CoA    Window | Encryption Key                             OOBM
---------------             -----       -----        ---       ------       + -------------------------------------          ------------------------------------------------ ----
172.16.0.10           1812    1813      No     300          | 987654321123456789             No
172.16.1.10           1812    1813      No     300          | 987654321123456789             No

both of these servers (Windows 2012R2 running NPS) are members of the default server group (Radius) I'm thinking that the Dead time being 0 is the issue and because of this the primary is never considered as dead when it is off line or not contactable for some other reason, as I test to confirm the secondary was working I removed the Primary (172.16.0.10) once that happened it all started to work again after a short time.

On reading up on this I can see that the Timeout and Retransmit values are the defaults, is this just case I need to add a setting for deadtime ???

Thanks Simon