Security

Reply
MVP
Posts: 2,897
Registered: ‎10-25-2011

two RAdius servers on a server group

Okay im using WPA2 enterprise for 802.1x authentication

I got 2 radius servers so if one goes down well eh can still authenticate with the other one.

 

I got radiusA and RadiusB

 

One server group which have

RadiusA first

RadiusB second

 

I though that if RAdiusA was unavaible it will send the request to radius B and well IT DOES but i get this message on radius B

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

Now if i put in the server group RAdiusB first then it authenticate correctly so it doesnt seems its the configuration in the RAdius servers...

 

Any idea what could be causing this?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,352
Registered: ‎03-29-2007

Re: two RAdius servers on a server group


NightShade1 wrote:

Okay im using WPA2 enterprise for 802.1x authentication

I got 2 radius servers so if one goes down well eh can still authenticate with the other one.

 

I got radiusA and RadiusB

 

One server group which have

RadiusA first

RadiusB second

 

I though that if RAdiusA was unavaible it will send the request to radius B and well IT DOES but i get this message on radius B

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

Now if i put in the server group RAdiusB first then it authenticate correctly so it doesnt seems its the configuration in the RAdius servers...

 

Any idea what could be causing this?


Make sure the remote access policies on server B matches what you have on server A.  Just merely switching the servers in a server group does not mean that the controller has resumed using a server that has been labelled "out of service".  Use the "show auth-tracebuf" command to accurately track which server is being used, when.

 

If you take a server out of service, the controller does not use it anymore.  The exception is if you only have a single server in that server group; the Aruba controller does not take a server out of service if it is the single server in a server group.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,897
Registered: ‎10-25-2011

Re: two RAdius servers on a server group

Hello Cjoseph

Ill try using that command you just mention but i see logs on the radius2 when i disconnect radius1 telling me that error.

 

But tell me something

if i got 2 servers on the server group

if the first one goes unavailable the second should be able to authenticate everyone? like a redundancy if the radius1 fail then the other automatically start athenticating users right?

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,352
Registered: ‎03-29-2007

Re: two Radius servers on a server group


NightShade1 wrote:

Hello Cjoseph

Ill try using that command you just mention but i see logs on the radius2 when i disconnect radius1 telling me that error.

 

But tell me something

if i got 2 servers on the server group

if the first one goes unavailable the second should be able to authenticate everyone? like a redundancy if the radius1 fail then the other automatically start athenticating users right?

 

 



Yes, the second one should be able to authenticate everyone.  Try to have ONLY the radius server with the problems in the server group, and make sure that one works by itself.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,897
Registered: ‎10-25-2011

Re: two Radius servers on a server group

[ Edited ]

Hello Cjoseph

It does work

Like i said up(must be my english which is not good)

i got in the group radius1 and radius2

 

radius1 is the first one in the group and radius2 is the second one

 

ifi unplug radius1 network cable it becomes unavailible and it doesnt work i get this error on that radius 2 event viewer:

The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

Now its not working okay? the radius1 is still unplug but i go to the Aruba controller go to the server group and put radius2 first in the group,  and after that it start authenticating correctly.

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 20,352
Registered: ‎03-29-2007

Re: two RAdius servers on a server group

We need the output of show auth-tracebuf when that is happening.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,897
Registered: ‎10-25-2011

Re: two RAdius servers on a server group

okay cjoseph i ill get it for you as soon as i can.

Cheers 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 135
Registered: ‎06-18-2007

Re: two RAdius servers on a server group

Did you make sure that radius2 is configured to support PEAP authentication (certificate/etc)?  If you're getting the EAP message in the event viewer, I would re-verify your certificate ane PEAP configuration the radius server.

 

-Mike

MVP
Posts: 2,897
Registered: ‎10-25-2011

Re: two RAdius servers on a server group

Ill doublecheck that but remenber that it works if igot radius2 first in the list of the server group.... if its true what you said well i guess it wouldnt work even if i put it in the first place in the server group right? but it does work perfectly if its on the first place.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee
Posts: 135
Registered: ‎06-18-2007

Re: two RAdius servers on a server group

[ Edited ]

So to recap what you have.

 

- 2 radius server: radius1, radius2

- one server group

 

Scenarios:

1. in server group, radius1 listed first then radius2 >> Authentication works.

2. in server group, radius2 listed first then radius1 >> Authenticatino works.

3. in server group, radius1 listed first then radius2; disconnect radius1 >> authentication fails/unsuccesful and you get the event log message about EAP issues.

4. when you move radius2 above radius1, authentication works.

 

Did you try with just having radius2 in the group?  It's weird it would work for scenario 4 but when it's in passthrough mode, it gives the EAP errors.

 

-Mike

Search Airheads
Showing results for 
Search instead for 
Did you mean: