瞭解IOS XE上的AAA失效檢測和失效時間
簡介
本檔案介紹Cisco交換器上的RADIUS失效檢測功能和失效時間的設定和運作。
必要條件
需求
- RADIUS通訊協定知識
- Cisco IOS® XE中的RADIUS伺服器配置知識
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- 軟體版本17.15.04的Cisco C9300-48UXM
- 思科身分識別服務引擎(軟體版本3.2)
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
通過AAA失效伺服器檢測功能,您可以定義用於確定RADIUS伺服器何時被視為不可用的標準。您可以設定自裝置上次收到來自RADIUS伺服器的有效封包之後必須經過的最短時間間隔(以秒為單位),並將其標為停用。如果自上次引導裝置後未收到有效資料包且發生超時,則認為滿足基於時間的條件。
此外,您可以配置在RADIUS伺服器宣告失效之前必須發生的連續超時數。如果伺服器同時處理身份驗證和記帳,則此計數中將包括兩種型別的流量的超時。格式錯誤或構造不當的資料包被視為超時。只有重新傳輸才會計入超時閾值。
一旦RADIUS伺服器標籤為停用,已設定的停用時間值可確保伺服器在被標籤為待用之前在指定的持續時間內保持停用狀態(以分鐘為單位)。在此期間,交換器不會將任何進一步的RADIUS要求傳送到失效的伺服器。
如果在dead-criteria中配置了time和tries,則這兩個條件都需要滿足,然後伺服器才會被標籤為dead。
組態
在Cisco cat 9K交換機中配置dead time和dead-criteria。
Switch#config terminal
Switch(config)#radius-server deadtime 2
Switch(config)#radius-server dead-criteria time 3 tries 3使用前面步驟中定義的deadtime配置,交換機會在前面的示例中指定的一段時間(2分鐘)內將伺服器標籤為停機。死區時間到期時,交換器會將伺服器重新標籤為存活,並開始將RADIUS流量傳送到伺服器。
如果未指定RADIUS停滯時間,則預設為0值,這會使伺服器立即返回到UP狀態。由於此行為,RADIUS伺服器狀態可能會翻動,造成其他驗證問題。要在指定的宕機時間到期之前將伺服器狀態恢復為UP狀態,請配置RADIUS探測。這將定期測試RADIUS伺服器以檢視它是否響應RADIUS請求。收到對探測的響應後,交換機將RADIUS伺服器標籤為活動。
Switch(config)#radius server RAD1
Switch(config-radius-server)#address ipv4 10.127.197.164 auth-port 1812 acct-port 1813
Switch(config-radius-server)#automate-tester username test-user ignore-acct-port probe-on
Switch(config-radius-server)#key Iselab@123
Switch(config)#radius server RAD2
Switch(config-radius-server)#address ipv4 10.127.197.165 auth-port 1812 acct-port 1813
Switch(config-radius-server)#automate-tester username test-user ignore-acct-port probe-on
Switch(config-radius-server)#key Iselab@123如前所述,test-user是測試使用者ID使用者名稱。ignore-acct-port關鍵字表示交換機不得驗證要使用的伺服器的記帳埠號。probe-on關鍵字指示交換機只有在伺服器標籤為失效時才能傳送測試探測。
在ISE的內部或外部資料庫上的實際探測使用者帳戶的情況下,需要密碼。在以下範例中,test-user是使用者名稱,test-password是RADIUS伺服器引用的驗證身份儲存區中所儲存的密碼。此外,「User rejected」訊息表示RADIUS伺服器處於活動狀態(除非發生逾時)。
驗證
在RADGRP組中配置了兩台RADIUS伺服器RAD1和RAD2。RADIUS服務未在RAD1上運行,但在RAD2上運行。
radius server RAD1
address ipv4 10.127.197.164 auth-port 1812 acct-port 1813
key Iselab@123
radius server RAD2
address ipv4 10.127.197.165 auth-port 1812 acct-port 1813
key Iselab@123
aaa group server radius RADGRP
server name RAD1
server name RAD2若要檢視詳細日誌,交換器上已啟用radius和aaa-trans偵錯。
Switch#set platform software trace smd switch active R0 radius debug
Switch#set platform software trace smd switch active R0 aaa-trans debug交換器啟動MAB作業階段後,會將第一個RADIUS存取要求傳送到位於10.127.197.164的主伺服器。由於此伺服器沒有作用中RADIUS服務,因此不會回應。
- 從第一個請求開始,dead-criteria的time和tries計數器都會開始。
- 在18:19:17的初始嘗試後三秒,時間標準已經滿足,嘗試計數器增加到1。
2026/04/06 18:19:17.503353862 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Send Access-Request to 10.127.197.164:1812 id 1812/49, len 3132026/04/06 18:19:17.503363389 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: authenticator c0 1f c0 30 8d 3d bc f9 - d2 67 e5 fe 09 3f 74 af
2026/04/06 18:19:17.503370267 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Name [1] 14 "b496912267d1"
2026/04/06 18:19:17.503374078 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Password [2] 18 *
2026/04/06 18:19:17.503383207 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Service-Type [6] 6 Call Check [10]
2026/04/06 18:19:17.503386667 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:17.503391259 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
2026/04/06 18:19:17.503396265 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Framed-MTU [12] 6 1464
2026/04/06 18:19:17.503399148 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Message-Authenticator[80] 18 ...
2026/04/06 18:19:17.503425477 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: EAP-Key-Name [102] 2 *
2026/04/06 18:19:17.503431520 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 49
2026/04/06 18:19:17.503435444 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=C4436B0A0000003B62BAA3AE"
2026/04/06 18:19:17.503438273 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:17.503442022 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "method=mab"
2026/04/06 18:19:17.503444833 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:17.503448442 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "client-iif-id=506217142"
2026/04/06 18:19:17.503451224 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:17.503454678 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "vlan-id=97"
2026/04/06 18:19:17.503466727 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-IP-Address [4] 6 10.107.67.196
2026/04/06 18:19:17.503470183 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Id [87] 26 "TenGigabitEthernet1/0/46"
2026/04/06 18:19:17.503475118 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
2026/04/06 18:19:17.503479167 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port [5] 6 50146
2026/04/06 18:19:17.503482732 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Calling-Station-Id [31] 19 "B4-96-91-22-67-D1"
2026/04/06 18:19:17.503486454 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Called-Station-Id [30] 19 "90-77-EE-EC-78-AE"
2026/04/06 18:19:17.503543835 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Started 5 sec timeout在等待預設的5秒重傳計時器後,交換機在18:19:22傳送訪問請求,但是沒有收到響應,這會將嘗試計數器增加到2。
2026/04/06 18:19:22.503540209 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Retransmit to (10.127.197.164:1812,1813) for id 1812/49
2026/04/06 18:19:22.503550512 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS(00000000): Route radius Pkt on vrf:1 for:Access-Request to 10.127.197.164:1812
2026/04/06 18:19:22.503586730 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: authenticator c0 1f c0 30 8d 3d bc f9 - d2 67 e5 fe 09 3f 74 af
2026/04/06 18:19:22.503593713 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Name [1] 14 "b496912267d1"
2026/04/06 18:19:22.503597724 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Password [2] 18 *
2026/04/06 18:19:22.503606908 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Service-Type [6] 6 Call Check [10]
2026/04/06 18:19:22.503610291 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:22.503614797 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
2026/04/06 18:19:22.503620000 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Framed-MTU [12] 6 1464
2026/04/06 18:19:22.503636893 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Message-Authenticator[80] 18 ...
2026/04/06 18:19:22.503663803 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: EAP-Key-Name [102] 2 *
2026/04/06 18:19:22.503669779 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 49
2026/04/06 18:19:22.503673708 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=C4436B0A0000003B62BAA3AE"
2026/04/06 18:19:22.503676661 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:22.503680361 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "method=mab"
2026/04/06 18:19:22.503683177 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:22.503686781 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "client-iif-id=506217142"
2026/04/06 18:19:22.503689608 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:22.503693037 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "vlan-id=97"
2026/04/06 18:19:22.503698541 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-IP-Address [4] 6 10.107.67.196
2026/04/06 18:19:22.503701959 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Id [87] 26 "TenGigabitEthernet1/0/46"
2026/04/06 18:19:22.503706717 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
2026/04/06 18:19:22.503710913 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port [5] 6 50146
2026/04/06 18:19:22.503714471 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Calling-Station-Id [31] 19 "B4-96-91-22-67-D1"
2026/04/06 18:19:22.503718191 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Called-Station-Id [30] 19 "90-77-EE-EC-78-AE"
2026/04/06 18:19:22.503791197 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Started 5 sec timeout再等待5秒後,交換機在18:19:27傳送第三個訪問請求,再次沒有響應,將tries計數器提高到3。
2026/04/06 18:19:27.504409044 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Retransmit to (10.127.197.164:1812,1813) for id 1812/49
2026/04/06 18:19:27.504419704 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS(00000000): Route radius Pkt on vrf:1 for:Access-Request to 10.127.197.164:1812
2026/04/06 18:19:27.504458569 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: authenticator c0 1f c0 30 8d 3d bc f9 - d2 67 e5 fe 09 3f 74 af
2026/04/06 18:19:27.504465641 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Name [1] 14 "b496912267d1"
2026/04/06 18:19:27.504469296 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Password [2] 18 *
2026/04/06 18:19:27.504478672 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Service-Type [6] 6 Call Check [10]
2026/04/06 18:19:27.504482096 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:27.504486708 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
2026/04/06 18:19:27.504491837 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Framed-MTU [12] 6 1464
2026/04/06 18:19:27.504494772 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Message-Authenticator[80] 18 ...
2026/04/06 18:19:27.504521457 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: EAP-Key-Name [102] 2 *
2026/04/06 18:19:27.504527464 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 49
2026/04/06 18:19:27.504531333 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=C4436B0A0000003B62BAA3AE"
2026/04/06 18:19:27.504534211 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:27.504538053 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "method=mab"
2026/04/06 18:19:27.504540913 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:27.504544569 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "client-iif-id=506217142"
2026/04/06 18:19:27.504547453 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:27.504556776 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "vlan-id=97"
2026/04/06 18:19:27.504562674 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-IP-Address [4] 6 10.107.67.196
2026/04/06 18:19:27.504566176 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Id [87] 26 "TenGigabitEthernet1/0/46"
2026/04/06 18:19:27.504571069 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
2026/04/06 18:19:27.504575163 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port [5] 6 50146
2026/04/06 18:19:27.504578703 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Calling-Station-Id [31] 19 "B4-96-91-22-67-D1"
2026/04/06 18:19:27.504582370 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Called-Station-Id [30] 19 "90-77-EE-EC-78-AE"
2026/04/06 18:19:27.504650322 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Started 5 sec timeout此時,時間和嘗試條件均已滿足,因此交換機將配置的第1台伺服器標籤為停機120秒,並故障轉移到下一台伺服器。
2026/04/06 18:19:32.503887087 {smd_R0-0}{1}: [aaa-trans] [27946]: (info): AAA/SG/TRANSAC: Server (10.127.197.164:1812,1813) marked dead - Initializing deadtime timer for 120 secs.
2026/04/06 18:19:32.504202918 {smd_R0-0}{1}: [errmsg] [27946]: (info): %RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD: R0/0: sessmgrd: RADIUS server 10.127.197.164:1812,1813 is not responding.
2026/04/06 18:19:32.504301242 {smd_R0-0}{1}: [errmsg] [27946]: (info): %AAA_AUDIT_MESSAGE-6-METHOD_LIST_STATE: R0/0: sessmgrd: mlist default of 8021X service is marked for notifying state and its current state is : ALIVE
2026/04/06 18:19:32.504323189 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Fail-over to (10.127.197.165:1812,1813) for id 1812/49
2026/04/06 18:19:32.504378935 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS(00000000): Route radius Pkt on vrf:1 for:Access-Request to 10.127.197.165:1812
2026/04/06 18:19:32.504403273 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: authenticator c0 1f c0 30 8d 3d bc f9 - d2 67 e5 fe 09 3f 74 af
2026/04/06 18:19:32.504410062 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Name [1] 14 "b496912267d1"
2026/04/06 18:19:32.504413896 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: User-Password [2] 18 *
2026/04/06 18:19:32.504422951 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Service-Type [6] 6 Call Check [10]
2026/04/06 18:19:32.504426323 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:32.504430907 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
2026/04/06 18:19:32.504435998 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Framed-MTU [12] 6 1464
2026/04/06 18:19:32.504438858 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Message-Authenticator[80] 18 ...
2026/04/06 18:19:32.504465819 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: EAP-Key-Name [102] 2 *
2026/04/06 18:19:32.504471839 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 49
2026/04/06 18:19:32.504475779 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=C4436B0A0000003B62BAA3AE"
2026/04/06 18:19:32.504478746 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:32.504482466 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "method=mab"
2026/04/06 18:19:32.504485282 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 31
2026/04/06 18:19:32.504489653 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 25 "client-iif-id=506217142"
2026/04/06 18:19:32.504493997 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Vendor, Cisco [26] 18
2026/04/06 18:19:32.504499349 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Cisco AVpair [1] 12 "vlan-id=97"
2026/04/06 18:19:32.504509376 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-IP-Address [4] 6 10.107.67.196
2026/04/06 18:19:32.504522118 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Id [87] 26 "TenGigabitEthernet1/0/46"
2026/04/06 18:19:32.504527127 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
2026/04/06 18:19:32.504531412 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: NAS-Port [5] 6 50146
2026/04/06 18:19:32.504534916 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Calling-Station-Id [31] 19 "B4-96-91-22-67-D1"
2026/04/06 18:19:32.504538572 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Called-Station-Id [30] 19 "90-77-EE-EC-78-AE"
2026/04/06 18:19:32.504597929 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Started 5 sec timeout
2026/04/06 18:19:32.803141632 {smd_R0-0}{1}: [radius] [27946]: (info): RADIUS: Received from id 1812/49 10.127.197.165:0, Access-Accept, len 142
提示:可使用radius-server retransmit重新配置預設的5秒重新傳輸計時器,以實現更快的故障切換。
參考
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
11-May-2026
|
初始版本 |
意見