Wireless Access

Our company has distributed network consisting of many sites, most of them use Aruba mobility controllers (master/local configuration). Configuration is performed globally, sites share SSIDs. Every site has 1-2 RADIUS servers. In Aruba configuration, all RADIUS servers are put into one server group. There is a natural desire for controller in every site to try using local RADIUS server (the one in same site) first, and then switch to remote servers if local ones are not available. However, since there is one global server group, mobility controllers try to contact RADIUS servers in same order. We can, of course, create separate server group for each location - but then we would need separate AAA profiles for each location and separate VAP profile for every SSID in every location, those greatly increasing configuration complexety and abandoning most benefits of centralized configuration.

At present, we prevent mobility controllers from contacting RADIUS servers in other sites by filtering out their RADIUS traffic on routers, those making controllers able to communicate only with local servers. A rather dirty solution.

So the question is - is there any way to do that somehow better? Something like "location-specific server groups", or ability to selectively override global configuration objects on local controllers? I'm not Aruba expert really, may be there is some simple answer.

I think the only way to do this is via the multiple profiles/etc.  I'm not aware of any other way of doing this.  I do not believe this is a location based method of doing this but maybe someone from Aruba can chime in if there is.

Your concern for increase config is noted but once you configure this properly, you should have to to worry about the configuration moving forward.  Your configuration is still centrally managed so you don't need to make changes to local controllers directly for any of the additional profiles configuration.

-Mike

You will have to create those location specific server groups and aaa profiles to contain those server groups. AFAIK there is no other way to configure location specific servers currently. 

Not only AAA profiles, but also VAP profiles - one for every SSID in every location!

Overall, I believe our scenario and the problem described should be quite typical, so it would be good to see such feature added in future Aruba OS versions.

---

@yva wrote:

Not only AAA profiles, but also VAP profiles - one for every SSID in every location!

 

Overall, I believe our scenario and the problem described should be quite typical, so it would be good to see such feature added in future Aruba OS versions.

---

Yva, 

An RFE (Request for Enhancement) has been filed for this particular feature. 

Thanks,

--

Hardik 

Great, thank you! Let's hope it will be implemented somewhen.

Just to show the complexety of configuration. In our network, mobility controllers are deployed in 9 sites, and there are 24 VAP profiles. If we will create separate server group for every site, that will mean 9 server groups and 9 AAA profiles for them (because every AAA profile uses single server group). That can be tolerated, but also we would need up to 24 * 9 = 216 VAP profiles! And this is already serious. (Real number of VAP profiles needed would be smaller, because not every profile is deployed in every site).

Also, if you want, I can describe desired feature behaviour from my point of view as a customer. Are you interested?