1. Why the clients are not able to connect when auth server is down even if "fail-through" has been enabled?
2. aaa test-server command works for a particular server but the client is still not able to connect.
Environment Information : This article applies to all Aruba controllers and code versions.
1. aaa test server works but client is not able to connect from secondary auth server.
2. client can only connect with primary auth server.
Cause : In the server group configuration, fail-through can be enabled.
#aaa server-group Radius-server
When the termination is disabled, the client receives the certificate from the radius server.
With the "allow-fail-through" knob enabled, the controller tries to verify the credentials with server1. If authentication is not successful, it will try the same with server2. It will keep on trying till the the list of servers in the group is exhausted.
However, the certificate is never retransmitted from the second server. Since the client is using certificate from first server and trying to authenticate against the second, the authentication will fail.
Resolution : Whenever using the option "allow-fail-through" for the server group with multiple auth servers, always make sure the the termination is enabled on the controller.
Answer : A server group can have multiple auth server. Aruba controller queries the first server unless it stops responding. Then it starts querying the second server for credentials.
When "allow-fail-through" is enabled, the controller will contact the second server is first server sends a authentication denied message.
However, for this to function correctly, termination must be enabled on the controller.