Wireless Access

Reply
Occasional Contributor II

Fail Through vs Fall Through

Situation:

- Two RADIUS servers pointing to the same AD source.

- 802.1X - EAP-PEAP and no termination on the controllers.

- On the server group, each server is listed and fail through is checked.

- One RADIUS server fails for 70 minutes (no pings, etc. Totally dead on the network)

 

Since there is no termination on the controller, should the controller have ignored the fail through and acted like fall through? I saw no requests hitting the secondary server during this time. TAC seems uncertain of how the controller should have behaved and is mocking it up now.

 

Thanks in advance!

 

 

 

Re: Fail Through vs Fall Through

I believe the fail through should be un-checked in the server group to allow the second RADIUS server to be tried after a dead interval (unreachability) on the first server...

 

You can check which server in the group are up and how long, latency, etc...using these commands:

 

Screenshot 2014-08-12 20.12.48.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba

Re: Fail Through vs Fall Through

During this outage, did the controller show the 1st RADIUS server as out of service for those 70 minutes or was it continually trying to use it?   You mention you have two servers pointing to the same AD source; in this case there is no reason to enable fail-through since they hold the same database; in fact in 6.4 (not sure about other versions), you cannot enable fail-through on server-groups for dot1x networks without termination (which you also say you don't have enabled).

 

Run the following command to determine if the controller realizes the 1st server is unreachable (the out-of-service column), or look at the server group in the UI.

 

show aaa server-group summary

aos-server-out.png

 

 

If it is showing out-of-service it should go to the second server.   If it is not doing so, please pass along the AOS version and the results from the following:

 

show aaa server-group <name-of-group>

show aaa timers (to check on how long it keeps an out-of-service server "dead")

show aaa authentication-server radius statistics

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II

Re: Fail Through vs Fall Through

Seth and Clembo,


Thanks for taking time to look at this. Below is the sanitized output from the commands you requested. Here are some thoughts for discussion:


1) I agree, since both servers in the group point to the same Active Directory source, fall through would be a better option for this server group.
2) Due to the auth server dead time being set to zero, the controller never marked the server as out of service. This means it should take 3 tries at 5 seconds each, or 15 seconds before querying the second server in the group. Correct?
3) TAC told me last night that the fail through setting can be used, regardless of whether or not the dot1x networks are terminated
    on the controller.
4) The server RADIUS1 was totally dead on the network during the 70 minutes.
5) The AOS version is 6.3.1.5
6) No termination is setup on the controllers.

7) The uptime shown in the statistics is the time the controller has been up.

My main question is: Based on my current settings (no matter how much they could be improved upon), should I be seeing user auth requests hitting the secondary RADIUS server?

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) #show aaa authentication-server radius statistics

RADIUS Server Statistics
------------------------
Server                 Acct Rq  Raw Rq     PAP Rq  CHAP Rq  MSCHAP Rq  MSCHAPv2 Rq  Mismatch Rsp  Bad Auth  Acc      Rej     Acct Rsp  Chal       Ukn Rsp  Tmout   AvgRspTm  Tot Rq     Tot Rsp    Rd Err  Uptime    SEQ
------                 -------  ------     ------  -------  ---------  -----------  ------------  --------  ---      ---     --------  ----       -------  -----   --------  ------     -------    ------  ------    ---
RADIUS1                0        111723534  8       0        0          0            546           0         5444214  187306  0         105959329  0        551357  2         111723542  111591395  0       123:7:49  510/510
RADIUS2                1856666  0          0       0        0          0            34            0         0        0       1856627   0          0        354     3         1856666    1856661    0       123:7:49  255/255

*AvgRspTm is in msec, Uptime is in d:h:m, SEQ is in Total/Free

Orphaned requests = 0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) #show aaa authentication-server radius RADIUS1

RADIUS Server "RADIUS1"
-----------------------
Parameter                              Value
---------                              -----
Host                                   1.1.1.1
Key                                    ********
Auth Port                              1812
Acct Port                              1813
Retransmits                            3
Timeout                                5 sec
NAS ID                                 N/A
NAS IP                                 N/A
Enable IPv6                            Disabled
NAS IPv6                               N/A
Source Interface                       N/A
Use MD5                                Disabled
Use IP address for calling station ID  Disabled
Mode                                   Enabled
Lowercase MAC addresses                Disabled
MAC address delimiter                  none
Service-type of FRAMED-USER            Disabled

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) #show aaa authentication-server radius RADIUS2

RADIUS Server "RADIUS2"
----------------------
Parameter                              Value
---------                              -----
Host                                   2.2.2.2
Key                                    ********
Auth Port                              1812
Acct Port                              1813
Retransmits                            3
Timeout                                5 sec
NAS ID                                 N/A
NAS IP                                 3.3.3.3
Enable IPv6                            Disabled
NAS IPv6                               N/A
Source Interface                       N/A
Use MD5                                Disabled
Use IP address for calling station ID  Disabled
Mode                                   Enabled
Lowercase MAC addresses                Disabled
MAC address delimiter                  none
Service-type of FRAMED-USER            Disabled

(Controller2) #

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) #show aaa server-group summary

Server Groups
-------------
Name                         Servers  Rules  hits  Out-of-service
----                         -------  -----  ----  --------------
sg-auth-dot1x                2        0      0

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) #show aaa server-group

Server Group List
-----------------
Name                         References  Profile Status
----                         ----------  --------------
sg-auth-dot1x                9

Total:1

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) # show aaa server-group sg-auth-dot1x

Fail Through:Yes

Auth Servers
------------
Name     Server-Type  trim-FQDN  Match-Type  Match-Op  Match-Str
----     -----------  ---------  ----------  --------  ---------
RADIUS1  Radius       Yes
RADIUS2  Radius       Yes

Role/VLAN derivation rules
---------------------------
Priority  Attribute  Operation  Operand  Type  Action  Value  Validated
--------  ---------  ---------  -------  ----  ------  -----  ---------

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(Controller2) #show aaa timers

Global User idle timeout = 900 seconds
Auth Server dead time = 0 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 600 seconds

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Aruba

Re: Fail Through vs Fall Through

You might be victim of a couple of things.   My feeling is that you will not see the 2nd sever hit with your setup.   My rationale is the following:

  • Fail-through will only come into play when there is an auth failure/auth deny (not a timeout)
  • Since you have your timer set at 0, the server is never marked out of service; so the 2nd server is not hit

I realize what TAC may have said, but fail-through should not be used on a server-group doing dot1x authentication unless EAP termination is enabled on the controller.     This ensures that 802.1X session and key information are in sync as client connects and roams.   In 6.4 it is not allowed, I am not sure about your version; 6.3.1.5.   This error is seen in 6.4:

 

aos-failthrough.png

 

Why is your dead timer set to 0?   If that is the case, the controller will never mark the server as out-of-service for the 2nd server to be used.

 

Can you change the dead timer to a higher value (default is 10 mins) 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: