Q: Why Guest users associated to IAP 92/93 are unable to authenticate when secondary Radius server is selected as internal server on IAP?
A: IAP-92/93 will not support any authentication with internal server mapped from 4.1.1.x due to hardware limitations. Hence IAP 92/93 will not forward the Radius request send by the client when the backup radius-server is mapped as internal DB for guest ssid.
Upon selecting the primary server as external Radius1 server and the secondary server as none or another Radius server, the guest users would be able to authenticate.
However, if the secondary radius-server is mapped to internal DB for guest ssid, the radius request will be dropped on the IAP itself due to hardware limitations.
No secondary servers:
18:64:72:c1:ce:90# show radius-servers
RADIUS Servers
--------------
Name IP Address Port Acctport Key Timeout Retry Count NAS IP Address NAS Identifier In Use RFC3576 Airgroup RFC3576-ONLY Airgroup RFC3576 port Deadtime DRP IP DRP IP Mask DRP VLAN DRP Gateway Radsec Radsec port
---- ---------- ---- -------- --- ------- ----------- -------------- -------------- ------ ------- --------------------- --------------------- -------- ------ ----------- -------- ----------- ------ -----------
InternalServer 127.0.0.1 1616 1813 dc04bf78f79b4f312989be4ddb1a349851c88a680e2ab0a0978eea4ac58ec77f6c6c34367a0ef896157f9c16872dbe4285aa1101e347422afe583cd847fcff04 5 3 Yes 0 5 Disabled Disabled
Clearpass 10.30.156.166 1812 1813 e72883e1acdfbdb1496094df87a071652c66d9efacd79a57 5 3 Yes Y 5999 5 Disabled Disabled
18:64:72:c1:ce:90# show clock
Current Time :2015-07-21 13:45:52 ----------------------- Time stamp before connecting the client.
18:64:72:c1:ce:90# show clients | include Arubatest
Aruba@Aruba.com 172.31.99.224 7c:e9:d3:2d:3c:55 Linux Arubatest 18:64:72:c1:ce:90 11 GN test 50(good) 144(good)
18:64:72:c1:ce:90# show log security | include radius
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1699] Sending radius request to Clearpass:10.30.156.166:1812 id:29,len:185
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_api.c:464] Radius authenticate user (Aruba@Aruba.com) PAP using server Clearpass
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_request.c:52] Add Request: id=29, srv=10.30.156.166, fd=18
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1699] Sending radius request to Clearpass:10.30.156.166:1812 id:29,len:185
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709] NAS-IP-Address: 10.30.56.22
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709] NAS-Port-Id: 0
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709] NAS-Port-Type: 19
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709] User-Name: Aruba@Aruba.com
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1713] Password: *****
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709] Service-Type: Login-User
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1709] Calling-Station-Id: 7ce9d32d3c55
When there is no secondary Radius server the radius request is sent by the IAP to the clearpass server at 13:47:51 timestamp.
The below output is with secondary server as internal and primary server as CPPM:
18:64:72:c1:ce:90# show clock
Current Time :2015-07-21 14:02:53 ------ Time stamp before executing the below command
Now connecting the client having secondary server as internal
18:64:72:c1:ce:90# show clock
Current Time :2015-07-21 14:04:29 --------Time stamp while connecting the client
18:64:72:c1:ce:90# show clients | include Arubatest
css-Latitude-E5420 172.31.99.224 7c:e9:d3:2d:3c:55 Arubatest 18:64:72:c1:ce:90 11 GN Preauth 0(poor) 0(poor)
18:64:72:c1:ce:90# show log security | include radius
Jul 21 13:47:51 stm[1664]: <121031> <DBUG> |AP 18:64:72:c1:ce:90@10.30.56.22 stm| |aaa| [rc_server.c:1699] Sending radius request to Clearpass:10.30.156.166:1812 id:29,len:185
18:64:72:c1:ce:90# Now entering the user name and password on captive portal page
We could see that the client associated at 14:04:29 and there there is no radius request sent by the IAP at that time even though the client enters the credentials for authentication.