2

This is a new setup of Cisco access switches (2960S, 2960X IOS with 15.2(2)E9, but mostly C1000 with IOS 15.2(7)E*), with a Cisco ISE 3.0 as authentication server for 802.1X, config style is to be IBNS 2.0.

Switches will want to do radius server dead detection and this all seems to be on a good path.

Task at hand:

We'd like to be alerted when a switch detects "all AAA servers down" and starts to handle the "critical" or Inaccessible Authentication Bypass branch in the IBNS 2.0 policy.

Idea:

SNMP-poll state of given radius servers with SNMP, raise alert if all are considered "dead" by the switch.

... OR ...

SNMP-poll state of given radius server group, raise alert if the entire group is shown as "dead".

The bad news:

SNMP trap ingestion and alerting on syslog parsing are (currently) no options with the given monitoring/alerting construct - so we'll need to rely on polling.

Problem:

Checked/walked ...

  1. CISCO-RADIUS-MIB (1.3.6.1.4.1.9.9.288)
  2. CISCO-RADIUS-EXT-MIB (1.3.6.1.4.1.9.9.736)
  3. CISCO-AAA-SERVER-MIB (1.3.6.1.4.1.9.10.56) ... 1.3.6.1.4.1.9.10.56.1.2.1.1.25 seemed such good idea at first.
  4. CISCO-AUTH-FRAMEWORK-MIB (1.3.6.1.4.1.9.9.656)

... but 1. - 3. don't seem to be populated by the SNMP agent on the switch, and 4. doesn't seem to hold any info about the auth servers and their state.

[EDIT after research]

Indeed, Cisco's own feature navigator confirms that C1000 and 2960S/X, from the MIBs listed above, support CISCO-AUTH-FRAMEWORK-MIB only.

[/EDIT after research]

Current AAA and SNMP config of the device is (sanitized)

aaa group server radius CUST-ISE-RADIUS server name CUST-ISE1-HOSTNAME01 server name CUST-ISE2-HOSTNAME01 ip radius source-interface <SrcIf> radius server CUST-ISE1-HOSTNAME01 address ipv4 <ip> auth-port 1812 acct-port 1813 timeout 1 automate-tester username ... <plus some more> key 7 <key> radius server CUST-ISE1-HOSTNAME01 address ipv4 <ip> auth-port 1812 acct-port 1813 timeout 1 automate-tester username ... <plus some more> key 7 <key> [...] snmp-server community <ourcommunity> RO <OurReadOnlyACL> snmp-server trap-source Loopback0 snmp-server source-interface informs Loopback0 snmp-server location <somewhere> snmp-server contact <us, of course> snmp-server enable traps cpu threshold snmp-server enable traps envmon fan shutdown supply temperature status snmp-server host 212.71.112.114 <ourTrapCommunity>

QUESTION:

  • Is there another branch of the (Cisco's) MIB tree you might know about, where we'd be able to determine if a switch believes the given (set of) radius server(s) dead or up?
  • is there a way to enable support for AAA-MIB, or its non-experimental equivalent? (.1.3.6.1.9.10 .* is "Cisco Experimental", and CISCO-AAA-SERVER-MIB is part thereof).

Thanks for your hints and pointers

Marc

Improve this question
5
  • Are you married to SNMP, or is receiving a syslog message good enough? You may be able to use an EEM script to send a syslog message. Commented Apr 26, 2022 at 15:47
  • @RonMaupin unfortunately, we're stuck with SNMP polling for the foreseeable time and project scopes :-( Commented Apr 26, 2022 at 15:57
  • OK. Personally, I would rather rely on an active rather than passive response to something like that. Commented Apr 26, 2022 at 15:59
  • 1
    Do you really need the access switches to tell you that your servers are down? Can you poll the servers directly with your NMS? Commented Apr 26, 2022 at 16:11
  • We probably could implement a custom radius poller on the NMS, but it's results would be of lesser interest: The ISE answering radius requests from within the datacenter is quite fine. But that does not say if the LAN switch out at the customer's site gets answers. The switches do have a decent radius pollers - I'd just like to know when they trigger, even if it's a false positive: If the switch believes all AAA servers dead, it will trigger IBNS 2.0's inaccessible authentication bypass sequence, possibly locking/unauth'ing clients. And that's what we'd like to have an alert for. Commented Apr 26, 2022 at 21:00

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.