Wireless Access

Reply
Contributor II
Posts: 37
Registered: ‎03-08-2013

AAA Profile - Radius Fail Through Group

Hi Guys,

 

I have an interesting little problem, I have a radius failover group against a wireless profile, and everything is working well...until...

Here comes the back story...

 

Our servers are scheduled to run any outstanding updates and reboot every Saturday night.

However when the radius servers reboot, they get flagged as offline by the Aruba Controller;  so when all our users return on a Monday morning all hell breaks loose because nobody is getting authenticated against the wireless SSID.

 

So I thought I’d play it smart and stagger the radius server reboots giving the controller time to recognise that the first server that went offline is now back, and then reboot the second.

 

However it seems once the controller has deemed the radius server(s) offline it doesn’t bother to recheck for its return and so when the second one goes down for a reboot - we effectively have no radius authentication until we reboot both Aruba Controllers.

 

 

I’m hoping that there is a setting that can be applied to tell the controller to keep retrying the radius server it has flagged as offline, to return it back to the online status once the reboot has completed.

Any help would be great fully received.

 

Many thanks,

MVP
Posts: 4,232
Registered: ‎07-20-2011

Re: AAA Profile - Radius Fail Through Group

 

Do you have fail through enabled ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 128
Registered: ‎03-13-2008

Re: AAA Profile - Radius Fail Through Group

[ Edited ]

You should have more than one server in your list, check box for fail through checked?

Version of code? 

David Dipert
Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: AAA Profile - Radius Fail Through Group

Are you terminating on the controller or the RADIUS server?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 37
Registered: ‎03-08-2013

Re: AAA Profile - Radius Fail Through Group

[ Edited ]

Sorry for the late response guys.

 

Ok so I have two radius servers in the profile and Fail Through is ticked.

 

I have proven that Fail Through is working; If I kill one of the radius servers, the controller starts to use the other - perfect; However; the controller never re-establishes that the server that went offline has come back online. It mains flagged as offline.

 

The problem I have is, when both of the servers reboot on the weekend the controller marks them both as offline and doesn't change them back to online until I reboot the controller.

 

It would appear that the controller is not trying to re-establish a link with the radius servers once it has flagged them as offline.

Frequent Contributor II
Posts: 128
Registered: ‎03-13-2008

Re: AAA Profile - Radius Fail Through Group

With Fail through not checked:
They request is send to service 1 in the list if server one does not respond then it will send the request to server 2.

With fail through checked:
request is sent to server 1 if server one sends a reject then the request will get sent to server 2. If server one sends an accept then you have access if server 1 doesn’t respond then the request is send to server 2.

As cappalli asked before where is termination happening? Controller or the Radius server?

When you see that server 1 is not responding are you able to send a diagnostic test to confirm that the server is responding?
What code version?
David Dipert
Contributor II
Posts: 37
Registered: ‎03-08-2013

Re: AAA Profile - Radius Fail Through Group

Hi,

 

Again many appologies for the late reply.

 

Im not sure I understand the question regarding "termination" nor "code version" if you could layman's term it for me that would be great. :smileysad:

 

The radius server's are not responding to the controllers at all once the servers have rebooted. The request times out from the controler diagnostics page. No logs or hits at the Radius end from the controllers at all.

 

At the same time as timing out for the controllers, the same radius servers are responding to other requests from other devices such as dynamic vlan tagging for wired devices.

 

Once the controllers are rebooted - everything starts to work again.

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: AAA Profile - Radius Fail Through Group


7cups wrote:

Hi,

 

Again many appologies for the late reply.

 

Im not sure I understand the question regarding "termination" nor "code version" if you could layman's term it for me that would be great. :smileysad:

 

The radius server's are not responding to the controllers at all once the servers have rebooted. The request times out from the controler diagnostics page. No logs or hits at the Radius end from the controllers at all.

 

At the same time as timing out for the controllers, the same radius servers are responding to other requests from other devices such as dynamic vlan tagging for wired devices.

 

Once the controllers are rebooted - everything starts to work again.


7Cups:

 

- Uncheck Failthrough, because it does not apply to your current situation.  The purpose of failthrough is when you have servers from different domains and you want to check them both when an authentication comes in.  Unchecking failthrough improves your performance by not forcing the controller to check both servers all the time.

- If you have two servers in a server group, the first server will be used until it is unavailable, and then the second one will be used

- If you have two servers in a server group, both cannot be marked down at one time.  If the first one is marked down, it will continue to use the second one indefinitely, so that you are not put into a bind.

- It should periodically check to see if the first one is back and use that one eventually.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 37
Registered: ‎03-08-2013

Re: AAA Profile - Radius Fail Through Group

Hi CJ,

 

I'll uncheck failthrough now and see how we go.

Looks like ive been miss informed by our suport agency.

 

Many thanks,

 

Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: AAA Profile - Radius Fail Through Group


7cups wrote:

Hi CJ,

 

I'll uncheck failthrough now and see how we go.

Looks like ive been miss informed by our suport agency.

 

Many thanks,

 


7Cups,

 

I only mentioned a single non-invasive idea on how to possibly deal with a single issue.  From your posts, you probably have other issues that need to be defined and fixed.  Please email TAC at support@arubanetworks.com and determine your status.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: