Configures the keep alive function for RADIUS servers using Network Login.
Syntax Description
netlogin
Specifies the network login
RADIUS authentication server.
keep-alive
Specifies keep alive to test RADIUS server reachability.
on
Specifies to enable keep alive. Single success shows at least
one server is reachable. Single failure shows no server is
reachable.
off
Specifies to disable keep alive (Default).
Default
Off.
Usage Guidelines
This command
configures the keep alive function for Network Login RADIUS servers. This enables sharing the Netlogin RADIUS server reachability status module.
When you enable this command, AAA sends an Access-Request using the RADIUS state machine subsystem in AAA the module and sets a dispatcher callback to repeat it for the configured keep alive interval. The following behavior scenarios exist when this command is configured:
If no Netlogin servers are configured or Netlogin RADIUS is not enabled – reachability is updated to unknown (NO) and conveyed to Netlogin.
If Netlogin RADIUS servers are configured and enabled, the RADIUS state machine sends the request to the corresponding server according to the re-transmission algorithm, retries, and timeout.
After sending the request, the state machine waits for the response. If timeout occurs and no response is received from all servers, reachability is NO and is conveyed to Netlogin.
If some response (Accept/Reject) is received from any one server, before the timeout, then reachability is YES and is conveyed to Netlogin.
The RADIUS client state machine in AAA takes care of all required re-transmissions and waits for the configured timeout seconds. If a successful response is received for a single keep alive message, that means at least one RADIUS server is reachable for Netlogin requests. If there's no response for a single keep alive message, it can be assumed that no server is reachable.
The next keep alive will be sent after the configured interval.
When you turn off the keep alive mechanism, the keep alive off status, along with the last known reachability status, is conveyed to Netlogin. Therefore, Netlogin can assume the reachability status is stale and decide accordingly.
If the last known status is reachable but a Netlogin RADIUS request times out (not reachable) before the next keep alive, then the status is updated as unreachable. This is also conveyed to Netlogin in order to update the reachability status as quickly as possible without waiting for next keep alive. Netlogin will use the status when keep-sessions-on-reauth-svc-unavail is turned on and dot1x authentication mode is used.
If last known status is unreachable and a Netlogin RADIUS request is successful (access/reject) before the next keep alive, then the status is updated as reachable and conveyed to Netlogin in order to update reachability status as quickly as possible without waiting for next keep alive.
Tip
The RADIUS server timeout configured using the configure radius netlogin timeout
command should be less than the RADIUS keep-alive interval configured.
The Netlogin session timeout sent using the RADIUS attribute should be greater than the Netlogin keep-alive interval.
Example
The following command
configures keep alive for RADIUS Netlogin:
configure radius netlogin keep-alive on
History
This command was
first available in version 33.2.1.
Platform Availability
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, and X695 series switches.