RADIUS Server Reachability

Configure up to 10 EAP RADIUS servers on the switch to manage fault tolerance. Each server is assigned a priority and is contacted in the priority order. If the first server is unavailable, the switch tries the second server, and so on, until the switch establishes a successful connection. Higher priority means lower integer value.

RADIUS server reachability prevents clients from trying to establish a connection with non reachable servers. RADIUS server reachability runs a periodic check in the background to identify the available servers. The switch is aware of the first available EAP RADIUS server without going through each of the servers and wait for time-outs.

Use RADIUS server reachability to configure the switch to use RADIUS requests to determine the reachability of the RADIUS server. The switch regularly performs the reachability test to determine if the switch should fail over to the secondary RADIUS server or activate the Fail Open VLAN, if configured on the switch.

Use one of the following modes to configure RADIUS reachability:
  • status-server mode: Status-Server packets provide a standard-compliant alternative to configuring dummy RADIUS requests. You can configure the switch to send status-server packets when the keep-alive timer or the unreachable timer expires. In order to use status-server mode, the configured RADIUS servers must support RFC5997.

  • use-radius mode: Configure user-radius mode if any of the RADIUS servers do not support RFC5997. In user-radius mode, the switch regularly generates a dummy RADIUS request with the username reachme and password reachme. The switch interprets either Request Accept or Request Reject responses as a confirmation for server reachability, therefore it is not necessary to add the credentials on the server to test server reachability. You can configure the username and password for the dummy account through CLI. Use-radius is the default mode for RADIUS reachablility.

You can configure the RADIUS reachability mode in either CLI or EDM.

Note

Note

RADIUS server reachability is enabled on the switch and is not a configurable option. The reachability process starts when at least one RADIUS server used by EAP is configured, and RADIUS is enabled globally.

Based on the number of EAP RADIUS servers configured, the switch performs the following:
  • If the highest priority EAP RADIUS server is reachable, the server status is updated to reachable and further authentication will use this server. As long as the highest priority EAP RADIUS server is reachable, the rest of the EAP RADIUS servers are not tested for reachability.

  • If the highest priority EAP RADIUS server is not reachable, then the switch tests the rest of the EAP RADIUS servers for reachability. The servers are checked one by one for reachability based on their priority from highest to lowest. The first server that is reachable is used for authentication and the rest of the lower priority EAP RADIUS servers if any, are skipped from the reachability test.

  • If all the EAP RADIUS servers are unreachable, then no further authentication occurs until the next successful reachability check.

The intervals between two consecutive reachability checks can be configured. The default values are as follows:
  • one minute, if the last check result was unreachable

  • three minutes, if the last check result was reachable

A server is marked as unreachable after a number of retries and time-outs. The default number of retries is 1 and the default time-out value is 8 seconds, but you can also configure these values in CLI.