Why external auth doesn't work for Guest ssid if secondary server is selected as internal DB ?
Configure a Guest SSID.
Use the Primary server as external and Secondary server as Internal DB.
In above mentioned case, where for Guest SSID if we have selected primary server as external and secondary server as InternalDB, the auth request will never reach the primary server and will always hit the Internal DB.
The reason being, currently we don't support backup server as internal for guest ssid.
So if guest ssid's backup server is internal, all radius request will be sent automatically to internal server, ignoring the primary external server.
Now if we have both primary and backup selected as External, that works as expected, i.e. by default request will go to the first server and if first server is down, the radius request will be sent to backup server.
We can use show ap debug radius-statistics to check radius server up and down.
If IAP considered first server down, it's status will be down in the above mentioned command, for a default time of 5 minutes.
After 5 minutes, if the server status will be up, and AP will try to sent radius request to it.
Now this situation is only applicable for Guest SSID, the Employee SSID works fine even if we have secondary server as InternalDB.