Wireless Access

Reply

Is dynamic server selection only for when termination enabled?

I basically have two radius server configured for a particular server-group.  Termination not enabled.

 

Problem is, particular handheld devices only are successful if they use the backup server.  Every other devices is fine against the primary radius.

 

And yes, I know the server guys need to fix it, but I'm trying to see what my options are.

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: Is dynamic server selection only for when termination enabled?

Do you have "fail through" ticked off?  If yes,this will send the auth to the second server IF the primary server sends a reject message.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos

Re: Is dynamic server selection only for when termination enabled?

but that is only if termination is enable on the controller?  Is that right


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: Is dynamic server selection only for when termination enabled?

According to the user guide, yes.  Have you looked at the following:

 

The controller can dynamically select an authentication server from a server group based on the user information sent by the client in an authentication request.

 

For example, an authentication request can include client or user information in one of the following formats:

 

l <domain>\<user>—forexample,corpnet.com\darwin

l <user>@<domain>—forexample,darwin@corpnet.com

l host/<pc-name>.<domain>—forexample,host/darwin-g.finance.corpnet.com(thisformatisusedwith802.1x machine authentication in Windows environments)

 

When you configure a server in a server group, you can optionally associate the server with one or more match rules. A match rule for a server can be one of the following:

 

l Theserverisselectediftheclient/userinformationcontainsaspecifiedstring.

l Theserverisselectediftheclient/userinformationbeginswithaspecifiedstring.

l Theserverisselectediftheclient/userinformationexactlymatchesaspecifiedstring.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos

Re: Is dynamic server selection only for when termination enabled?

Trying to do that, but doesn't seem to work.  Here is the server-group

 

Brasil server-group.jpg

 

but here is the auth-tracebuf

 

Sep 25 14:52:30  eap-id-req            <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               1   5
Sep 25 14:52:30  eap-id-resp           ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               1   25   <user>@CORP
Sep 25 14:52:30  rad-req               ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               18  262
Sep 25 14:52:30  rad-resp              <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32/primary01  18  90
Sep 25 14:52:30  eap-req               <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               2   6
Sep 25 14:52:30  eap-nak               ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               2   6
Sep 25 14:52:30  rad-req               ->  00:23:68:cd:4a:86  24:de:c6:dc:dd:32/primary01  27  281
Sep 25 14:52:30  rad-reject            <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32/primary01  27  56
Sep 25 14:52:30  eap-failure           <-  00:23:68:cd:4a:86  24:de:c6:dc:dd:32               2   4    server rejected

 

To me, that shows it not working.  I tried with the match-authstring as well with the username, but it didn't choose the second server.

 

:smileysad:

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: Is dynamic server selection only for when termination enabled?

I had a look at this with TAC and it just doesn't seem to work as it should, and is looking like a bug.  AOS 6.2.1.3.

 

In spite of this I was wondering what happens in the example above if the first server becomes unavailable?  If there is only one server available are the match rules ignored then and all clients just use that as normal?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: