Controller-less WLANs

Why do I see more authentication request to one server than other? Why I don't see any authentication request to one of the servers?

Environment  :  Aruba Instant deployment with multiple authentication servers used with server load balancing enabled.

 

Aruba Instant allows configuring upto 2 authentication servers for client authentication and load balance between them. 

 

 

GUI Config ::

 

rtaImage.jpg

 

CLI Config ::

 
wlan ssid-profile VJMobile
 index 1
 type employee
 essid VJMobile
 opmode wpa2-aes
 max-authentication-failures 0
 vlan 267
 auth-server NewAS1
 auth-server NewAS2
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 server-load-balancing
 radius-accounting
 radius-interim-accounting-interval 5
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64


However; it maybe noticed that authentication traffic isn't equally distributed with more / all requests being sent to primary server. 

Example ::
 

VJTest#  show ap debug radius-statistics 
 
 
RADIUS Statistics
-----------------
Statistics             TerminationServer  InternalServer  as1     as2       NewAS1  NewAS2  
----------             -----------------  --------------  ---     ---       ------  ------  
In Service             enable             enable          enable  enable    enable  enable 
Accounting Requests    0                  0               0       0        4850    521    
Raw Requests           0                  0               0       0         443    1078   
PAP Requests           0                  0               0       0         0       0      
CHAP Requests          0                  0               0       0         0       0      
MS-CHAP Requests       0                  0               0       0         0       0       
MS-CHAPv2 Requests     0                  0               0       0         0       0       
Mismatch Response      0                  0               0       0         0       0       
Invalid Secret         0                  0               0       0         0       0       
Access-Accept          0                  0               0       0         671     82      
Access-Reject          0                  0               0       0         7       3       
Accounting-Response    0                  0               0       0         4670    519     
Access-Challenge       0                  0               0       0         7726    989     
Unknown Response code  0                  0               0       0         0       0       
Timeouts               0                  0               0       0         910     58      
AvgRespTime (ms)       0                  0               0       0         82      662     
Total Qequests         0                  0               0       0         13293   1599    
Total Response         0                  0               0       0         13074   1593    
Read Error             0                  0               0       0         0       0      
SEQ first/last/free    0/0/0              0/0/0           0/0/0   0/0/0     0/0/0   0/0/0  


This is expected behavior by design. Aruba Instant's authentication mechanism isn't round-robin based.  Load balancing happens based on outstanding authentication sessions. If there are no outstanding sessions, i.e. if rate of auth is low, only primary will be used. secondary will be used only if there are outstanding auth sessions to primary. This approach would allow load balance across asymmetric capacity radius server without getting any input about server capabilities from administrator.

 

 

Version history
Revision #:
1 of 1
Last update:
‎07-03-2014 01:56 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.