Dead RADIUS server detection

RUCKUS ICX devices support authentication using up to eight RADIUS servers, including those used for authentication and for management.

The device tries to use the servers in the order they are added to the device configuration. If one RADIUS server times out (does not respond), the RUCKUS ICX device tries the next one in the list. Servers are tried in the same sequence each time there is a request, and if multiple servers are unavailable or not responding, authentication delay results.

The RADIUS servers that are unavailable or that have stopped responding can be detected and marked as dead servers using the radius-server test command. To test the availability of the server, an Access-Request message is sent to the RADIUS server using a nonexistent username; that is, a username that is not configured on the server, so that the server responds with an Access-Reject message if the server is available. If the RUCKUS ICX device does not receive a response from a RADIUS server within a specified time limit and number of retries, the RADIUS server is marked as dead. The time limit and number of retries can be manually configured using the radius-server timeout and radius-server retransmit commands respectively. If the parameters are not manually configured, the RUCKUS ICX device applies the default value of 3 seconds with a maximum of 3 retries. The interval at which the test message is sent to check the status of the server can be configured using the radius-server dead-time command.

The following example demonstrates configuring and confirming dead server detection.
device# configure terminal
device(config)# radius-server test sample 
device(config)# radius-server dead-time  5 
device(config)# exit
device# show radius server
Server                      Type      Opens     Closes   Timeouts   Status  
----------------------------------------------------------------------------                any        471        247          1   active                any        471        247          1   dead

When dead RADIUS server detection is configured, all configured RADIUS servers are monitored on a regular basis from system startup. When a RADIUS server times out (does not respond), it is marked as a dead server. When the status of a RADIUS server tagged for 802.1x or MAC authentication changes, the new status is broadcast to all units in the stack because 802.1x and MAC authentication is performed locally on all units.