RADIUS Server Fail-Open
RADIUS Server Fail-Open
Summary : How to enable RADIUS Fail-Open in Mobility Access Switch
When wired users try to access a network where AAA servers are unreachable, they will be unable to authenticate and will continue to stay in the configured initial role. As a result, a user may effectively be blocked off the network due to a restrictive initial-role. To overcome this problem, ArubaOS provides support for RADIUS Fail-open. This feature enables the IT administrators to provide an alternate user-role (unreachable-role) to the users for network connectivity during a AAA server outage. When AAA servers are unreachable, the RADIUS Fail-open feature assigns the unreachable-role to the users trying to authenticate. The users will stay in the unreachable-role until at least one of the AAA servers is back in service.
Feature Notes :
A client remains in the initial role until all the AAA servers in the server group are processed. The unreachable-role is assigned to a user only when:
- no intermediate role (such as UDR, MAC auth, and 802.1x machine-auth-machine-role) has been derived i.e. the user is still in initial role, and
- the last AAA server in the AAA server group has been processed, and
- if one or more AAA servers have timed out and the rest have failed the authentication, or if all the servers have timed out.
- A role derived after authenticating UDR or MAC auth will have more privileges than the initial or unreachable-role.
- AAA unreachable-role is assigned to that MAC, and
- no intermediate VLAN has been derived.
- AAA unreachable-role-based-VLAN (high priority) takes precedence over the switching profile's VLAN (low priority).
When the AAA server comes back in service, all the clients corresponding to that server group are cleared from the mac-in-unreachable-list table. The clients then re-attempt authentication
When a client is removed from the mac-in-unreachable-list table, the port to which it is connected is administratively disabled (shutdown) and then re-enabled (in 5 seconds). This is to ensure that the client initiates the DHCP process again when it re-attempts authentication. The port is administratively disabled and then reenabled in the following scenarios:
- When all the clients on the same port are removed from the mac-in-unreachable-list table, if there are more than one client on the same port.
- When aaa user delete command is executed to delete a client entry that is in the mac-in-unreachable-list table.
- The port does not get shut when the client entry that is in the unreachable-role ages out due to AAA timer expiry..
- the AAA server dead time expiry is set to 0, the clients that are in the unreachable-role are rolled back to initial role and are removed from the mac-in-unreachable-list table. No clients will be assigned the unreachable-role as RADIUS Fail-open gets disabled.
- If a system switch over happens (the secondary switch becomes the new primary and the primary switch becomes the new secondary) in the network while RADIUS Fail-Open is active, the following process takes place:
- The user table entries for the clients that were in mac-in-unreachable-list table are deleted and their respective interfaces are administratively disabled and then re-enabled. These clients re-attempt authentication and derive a role based on the authentication outcome.
- If the servers are still out of service during the authentication re-attempt, they will be marked as out of service
- all the servers are out of service, or
- when all the servers except the last one in the server group are out of service and the last one fails authentication.
Configuration Steps :
- the unreachable-role is configured under the AAA profile, and
- the AAA server dead time expiry feature is enabled (i.e. the dead time value is set above 0)
· RADIUS Fail-Open is not supported when re-authentication timer is enabled.
· RADIUS Fail-Open is not supported when EAP-Termination is enabled under 802.1x authentication profile.
When the unreachable-role is assigned to a captive portal user, the user may be misled to the welcome screen indicating that the authentication has succeeded. It is recommended to configure the Captive Portal Authentication Profile under the unreachable-role to avoid such misleading scenarios.