01-05-2012 09:44 AM - edited 01-05-2012 09:45 AM
1) I have an SSID set to do 802.1x authentication. Does the authentication happen before users are given an IP address by the DHCP server? Neither the DHCP nor the RADIUS servers are at the controller but are external.
2) What's the point of the fail-over option when adding multiple servers for RADIUS authentication? If I have more than one server listed there, does the user have to authenticate with ALL servers on the list before it can gain access to the network or just one of them? Does the "fail-over" option change this in any way?
Solved! Go to Solution.
01-05-2012 09:51 AM
Yes, 802.1x authentication takes place prior to DHCP.
Are you referring to the "fail-through" option in the server group settings? Fail-through means that if the authentication attempt fails on the first server, it will try the second, then the third, and so on, until it reaches the end of the list or the user passes authentication. This is helpful in several scenarios. Two that come to mind is in case the first RADIUS server fails (hardware/software failure) and the second is EDURoam.
01-05-2012 10:01 AM
Yes, I'm referring to the "fail-through" option in the server-group settings. What you've explained is what I thought it was but then in the User Guide it says:
"This feature is not supported for 802.1x authentication with a server group that consists of external EAPcompliant
RADIUS servers. You can, however, use fail-through authentication when the 802.1x
authentication is terminated on the controller (AAA FastConnect)."
Does this mean that this option is meaningless if external RADIUS servers are being used? Does it mean that the user is not allowed until he is authenticated by all the servers listed?
01-05-2012 11:08 AM
What that's saying is that the cryptographic part of the session needs to stay on the controller, which is generally faster anyway. We terminate that part of the session, and then try the RADIUS servers in the backend until we succeed or run out of servers. The user needs to match one of the servers, if it fails we try the next one in the list.
Director, Strategic Account Solutions