ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

802.1x Failure after redundancy Failover

Hi Airheads,

I'm facing an issue with my deployment. i've deployed n + 1 redundancy, I have SITE A and SITE B which is layer 3 separated.
Both controllers have the same configuration, same license counts and both are managing their own AP's meaning AP's in SITE A
are registered to SITE A and AP's in SITE B are registered to SITE B.

My customer's radius server is at SITE B (let's say the IP is 10.1.1.1).
The controllers are configured with two Radius Server Profile pointing to same Radius Server (10.1.1.1), but the pre-shared key for each profile is different.
RadiusProf 1 is used by SITE A ap group and RadiusProf 2 is used by SITE B ap group. On normal day, everything is working (Data, voice, guest, etc.).

My problem starts when there is a failover. I tested redundancy and disconnected SITE A controller, the SSID that has 802.1x is not working. It seems that after failover, when users in SITE A connect, they are using RadiusProf 1, which is meant for SITE A controller after which the Radius server rejects because the AP's are now registered to SITE B controller.

I think it's because RadiusProf 1 is not meant for SITE B controller that's why the Radius Server is rejecting the controller because the PSK for RadiusProf 2 is different. Am I right?

If I configure the two profiles with the same PSK, will this solve my problem? That means I also need to reconfigure the Radius Server itself. Have anyone experienced this problem before? any help would be appreciated.

Thank you so much.
Guru Elite
Posts: 20,418
Registered: ‎03-29-2007

Re: 802.1x Failure after redundancy Failover

If you configured one Radius server on your Aruba Controller with a PSK and you have a master and a local that will be using that profile, you need to configure two radius server clients on your radius server, both with the same PSK, but with different ip addresses. All traffic will be sent to the same radius server, but with the same PSK, the only difference is that the authentication will be sent from Controller at site A normally and then site B during failover. To make sure your radius failover will work, on each controller, go to the Diagnostics tab and use AAA Test-server to test that regular credentials will work. If not, look at the Radius server in the event viewer to see why not. In Windows 2003, your events would be in the system portion of the event viewer. In Windows 2008, it will be in the Custom > Network Policy Server part.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: