Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Dublin 17.12.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: July 31, 2023

Chapter: AAA Dead-Server Detection

AAA Dead-Server Detection
AAA dead-server detection
Prerequisites for AAA dead-server detection
Restrictions for AAA dead-server detection
Configure AAA dead-server detection (CLI)
Verify AAA dead-server detection

AAA Dead-Server Detection

AAA dead-server detection

A dead-server detection feature is an AAA capability that

allows configuration of criteria for marking RADIUS servers as dead
uses tunable deadtime and dead-criteria values to determine server status, and
provides faster failover and packet processing by quickly detecting and isolating non-responding servers.

You can configure the deadtime (in minutes) per server group or globally. This defines how long a server marked as DEAD remains in that state.

Deadtime—The period (in minutes) that a server, once marked as DEAD, remains in that state before being re-evaluated. This value can be set per server group or globally.

Dead-criteria—The specific conditions, such as timeout intervals or number of missed responses, that must be met before a server is considered DEAD. To declare a server as DEAD, you need to configure dead-criteria and configure the conditions that determine when a RADIUS server is considered unavailable or dead.

Criteria for marking a RADIUS server as dead

AAA dead-server detection uses two main criteria for marking a RADIUS server as unavailable: the minimum time since the last valid response, and the number of consecutive timeouts. When both criteria are met, the server is marked as dead and remains in that state for the configured dead time. After dead time expires, the controller re-evaluates the server's state and updates clients accordingly.

This approach ensures that only unresponsive servers are marked as dead. It minimizes authentication delays and prevents unnecessary switches between dead and alive status due to slow responses.

For configuration details and packet handling rules, see the definitions above.

Additional reference information

Both time and tries criteria must be met for a server to be marked as dead.
The detection process helps avoid unnecessary state changes between dead and alive for temporarily slow servers.
Both authentication and accounting packets are counted when applying the dead-criteria.

Example of AAA dead-server detection

If a controller has multiple RADIUS servers and one stops responding for the configured dead time and number of consecutive timeouts, it is marked as dead. Requests are then redirected to working servers, improving reliability.

Counter-example: Without AAA dead-server detection

Without AAA dead-server detection, a controller may continually attempt to communicate with a non-responsive RADIUS server, increasing authentication delays and denying access to users.

Prerequisites for AAA dead-server detection

You must have access to a RADIUS server.
You must be familiar with configuring a RADIUS server.
You must be familiar with configuring Authentication, Authorization, and Accounting (AAA).
Before a server can be marked as dead, yo configure radius-server dead-criteria time time-in-seconds tries number-of-tries to mark the server as DOWN.

Also, you must configure the radius-server deadtime time-in-mins to retain the server in DEAD status.

Restrictions for AAA dead-server detection

Original transmissions are not counted in the number of consecutive timeouts that must occur on the controller before the server is marked as dead--only the number of retransmissions are counted.

Configure AAA dead-server detection (CLI)

Enable detection of dead RADIUS servers to maintain network reliability.

This configuration is essential in environments using RADIUS servers for authentication. It ensures you can effectively manage server availability.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enable the AAA access control model.

Example:

Device(config)# aaa new-model

Step 3

Define how long, in minutes, a server marked as DEAD will remain in that state.

Example:

Device(config)# radius-server deadtime time-in-mins

Example:

Device(config)# radius-server deadtime 5

When the deadtime expires, the controller marks the server as UP (ALIVE) and notifies registered clients about the state change.

time-in-mins — Valid values range from 1 to 1440 minutes. Default value is zero. To return to the default value, use the no radius-server deadtime command.

The radius-server deadtime command can be configured globally or per AAA group server level.

You can use the show aaa dead-criteria or show aaa servers command to check for dead-server detection. If the default value is zero, deadtime is not configured.

Step 4

Declare a server as DEAD and configure the conditions that determine when a RADIUS server is considered unavailable or dead.

Example:

Device(config)# radius-server dead-criteria [time time-in-seconds] [tries number-of-tries]

Example:

Device(config)# radius-server dead-criteria time 5 tries 4

time-in-seconds : Time in seconds during which no response is received from the RADIUS server to consider it as dead. Valid values range from 1 to 120 seconds.

Note

The total time to declare the server as dead depends on the configured time in seconds, retries, and pending transactions.

The calculated resulting time may range from ten to sixty seconds based on these criteria.

number-of-tries : Number of transmits to RADIUS server without responses before marking the server as dead. Valid values range from 1 to 100.

Step 5

Exit configuration mode and enter privileged EXEC mode.

Example:

Device(config)# end

You have now configured the AAA Dead-Server Detection, allowing you to manage RADIUS server availability effectively.

Verify AAA dead-server detection

This topic describes how to verify AAA Dead-Server Detection using various show commands.

To verify dead-criteria, use this command:

Device# show run | s dead-criteria
radius-server dead-criteria time 20 tries 20

To verify the dead-criteria details, use this command:

Device# sh aaa dead-criteria radius <server>
sh aaa dead-criteria radius 192.0.2.55
RADIUS Server Dead Criteria:
Server Details:
Address : 192.0.2.55
Auth Port : 1645
Acct Port : 1646
Server Group : radius
Dead Criteria Details:
Configured Retransmits : 3
Configured Timeout : 5
Estimated Outstanding Access Transactions: 2
Estimated Outstanding Accounting Transactions: 0
Dead Detect Time : 30s
Computed Retransmit Tries: 6
Statistics Gathered Since Last Successful Transaction
Max Computed Outstanding Transactions: 3
Max Computed Dead Detect Time: 90s
Max Computed Retransmits : 18

To verify the state of servers, number of requests being processed, and so on, use the command:

Device# show aaa servers | s WNCD
Platform State from WNCD (1) : current UP
Platform State from WNCD (2) : current UP
Platform State from WNCD (3) : current UP
Platform State from WNCD (4) : current UP
Platform State from WNCD (5) : current UP, duration 773s, previous duration 0s
Platform Dead: total time 0s, count 0
Quarantined: No

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)