Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Fail Through vs Fall Through

This thread has been viewed 5 times

  • 1.  Fail Through vs Fall Through

    Posted Aug 12, 2014 11:28 AM

    Situation:

    - Two RADIUS servers pointing to the same AD source.

    - 802.1X - EAP-PEAP and no termination on the controllers.

    - On the server group, each server is listed and fail through is checked.

    - One RADIUS server fails for 70 minutes (no pings, etc. Totally dead on the network)

     

    Since there is no termination on the controller, should the controller have ignored the fail through and acted like fall through? I saw no requests hitting the secondary server during this time. TAC seems uncertain of how the controller should have behaved and is mocking it up now.

     

    Thanks in advance!

     

     

     



  • 2.  RE: Fail Through vs Fall Through

    EMPLOYEE
    Posted Aug 12, 2014 08:14 PM

    I believe the fail through should be un-checked in the server group to allow the second RADIUS server to be tried after a dead interval (unreachability) on the first server...

     

    You can check which server in the group are up and how long, latency, etc...using these commands:

     

    Screenshot 2014-08-12 20.12.48.png



  • 3.  RE: Fail Through vs Fall Through

    Posted Aug 13, 2014 12:11 AM

    During this outage, did the controller show the 1st RADIUS server as out of service for those 70 minutes or was it continually trying to use it?   You mention you have two servers pointing to the same AD source; in this case there is no reason to enable fail-through since they hold the same database; in fact in 6.4 (not sure about other versions), you cannot enable fail-through on server-groups for dot1x networks without termination (which you also say you don't have enabled).

     

    Run the following command to determine if the controller realizes the 1st server is unreachable (the out-of-service column), or look at the server group in the UI.

     

    show aaa server-group summary

    aos-server-out.png

     

     

    If it is showing out-of-service it should go to the second server.   If it is not doing so, please pass along the AOS version and the results from the following:

     

    show aaa server-group <name-of-group>

    show aaa timers (to check on how long it keeps an out-of-service server "dead")

    show aaa authentication-server radius statistics



  • 4.  RE: Fail Through vs Fall Through

    Posted Aug 13, 2014 05:46 PM

    Seth and Clembo,


    Thanks for taking time to look at this. Below is the sanitized output from the commands you requested. Here are some thoughts for discussion:


    1) I agree, since both servers in the group point to the same Active Directory source, fall through would be a better option for this server group.
    2) Due to the auth server dead time being set to zero, the controller never marked the server as out of service. This means it should take 3 tries at 5 seconds each, or 15 seconds before querying the second server in the group. Correct?
    3) TAC told me last night that the fail through setting can be used, regardless of whether or not the dot1x networks are terminated
        on the controller.
    4) The server RADIUS1 was totally dead on the network during the 70 minutes.
    5) The AOS version is 6.3.1.5
    6) No termination is setup on the controllers.

    7) The uptime shown in the statistics is the time the controller has been up.

    My main question is: Based on my current settings (no matter how much they could be improved upon), should I be seeing user auth requests hitting the secondary RADIUS server?

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) #show aaa authentication-server radius statistics

    RADIUS Server Statistics
    ------------------------
    Server                 Acct Rq  Raw Rq     PAP Rq  CHAP Rq  MSCHAP Rq  MSCHAPv2 Rq  Mismatch Rsp  Bad Auth  Acc      Rej     Acct Rsp  Chal       Ukn Rsp  Tmout   AvgRspTm  Tot Rq     Tot Rsp    Rd Err  Uptime    SEQ
    ------                 -------  ------     ------  -------  ---------  -----------  ------------  --------  ---      ---     --------  ----       -------  -----   --------  ------     -------    ------  ------    ---
    RADIUS1                0        111723534  8       0        0          0            546           0         5444214  187306  0         105959329  0        551357  2         111723542  111591395  0       123:7:49  510/510
    RADIUS2                1856666  0          0       0        0          0            34            0         0        0       1856627   0          0        354     3         1856666    1856661    0       123:7:49  255/255

    *AvgRspTm is in msec, Uptime is in d:h:m, SEQ is in Total/Free

    Orphaned requests = 0

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) #show aaa authentication-server radius RADIUS1

    RADIUS Server "RADIUS1"
    -----------------------
    Parameter                              Value
    ---------                              -----
    Host                                   1.1.1.1
    Key                                    ********
    Auth Port                              1812
    Acct Port                              1813
    Retransmits                            3
    Timeout                                5 sec
    NAS ID                                 N/A
    NAS IP                                 N/A
    Enable IPv6                            Disabled
    NAS IPv6                               N/A
    Source Interface                       N/A
    Use MD5                                Disabled
    Use IP address for calling station ID  Disabled
    Mode                                   Enabled
    Lowercase MAC addresses                Disabled
    MAC address delimiter                  none
    Service-type of FRAMED-USER            Disabled

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) #show aaa authentication-server radius RADIUS2

    RADIUS Server "RADIUS2"
    ----------------------
    Parameter                              Value
    ---------                              -----
    Host                                   2.2.2.2
    Key                                    ********
    Auth Port                              1812
    Acct Port                              1813
    Retransmits                            3
    Timeout                                5 sec
    NAS ID                                 N/A
    NAS IP                                 3.3.3.3
    Enable IPv6                            Disabled
    NAS IPv6                               N/A
    Source Interface                       N/A
    Use MD5                                Disabled
    Use IP address for calling station ID  Disabled
    Mode                                   Enabled
    Lowercase MAC addresses                Disabled
    MAC address delimiter                  none
    Service-type of FRAMED-USER            Disabled

    (Controller2) #

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) #show aaa server-group summary

    Server Groups
    -------------
    Name                         Servers  Rules  hits  Out-of-service
    ----                         -------  -----  ----  --------------
    sg-auth-dot1x                2        0      0

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) #show aaa server-group

    Server Group List
    -----------------
    Name                         References  Profile Status
    ----                         ----------  --------------
    sg-auth-dot1x                9

    Total:1

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) # show aaa server-group sg-auth-dot1x

    Fail Through:Yes

    Auth Servers
    ------------
    Name     Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
    ----     -----------  ---------  ----------  --------  ---------
    RADIUS1  Radius       Yes
    RADIUS2  Radius       Yes

    Role/VLAN derivation rules
    ---------------------------
    Priority  Attribute  Operation  Operand  Type  Action  Value  Validated
    --------  ---------  ---------  -------  ----  ------  -----  ---------

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    (Controller2) #show aaa timers

    Global User idle timeout = 900 seconds
    Auth Server dead time = 0 minutes
    Logon user lifetime = 5 minutes
    User Interim stats frequency = 600 seconds

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



  • 5.  RE: Fail Through vs Fall Through

    Posted Aug 13, 2014 06:32 PM

    You might be victim of a couple of things.   My feeling is that you will not see the 2nd sever hit with your setup.   My rationale is the following:

    • Fail-through will only come into play when there is an auth failure/auth deny (not a timeout)
    • Since you have your timer set at 0, the server is never marked out of service; so the 2nd server is not hit

    I realize what TAC may have said, but fail-through should not be used on a server-group doing dot1x authentication unless EAP termination is enabled on the controller.     This ensures that 802.1X session and key information are in sync as client connects and roams.   In 6.4 it is not allowed, I am not sure about your version; 6.3.1.5.   This error is seen in 6.4:

     

    aos-failthrough.png

     

    Why is your dead timer set to 0?   If that is the case, the controller will never mark the server as out-of-service for the 2nd server to be used.

     

    Can you change the dead timer to a higher value (default is 10 mins)