Wireless Access

Reply
MVP
Posts: 1,412
Registered: ‎11-30-2011

does server fail through require termination?

im working on a scenario were i need radius server fail through. configured two different radius servers in a server group and turned on fail through. for some reason the gui acted up so i tried to configure it via the cli and got this message:

 

(Aruba650-TestLab) (Server Group "nps-test_srvgrp-fto67") #allow-fail-through
Info : Failthrough cant happen for dot1x without termination

 this confused me as in this thread it is mentioned termination isn't required. so what is the deal, do i need to terminate on the controller or not?

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: does server fail through require termination?

[ Edited ]

The anwer is yes.

 

Fail through would only be useful if the radius servers authenticate users in different databases.  If both radius severs point to the same domain, however, it would force the second server to process the same failed authentication, increasing authentication time.  

 

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-614



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: does server fail through require termination?

thank you cjoseph, if possible could that be added in the knowledgebase article? after i checked again the user guide certainly mentions it.

 

in this scenario im working with two different radius sources (databases) so fail through seems the way to go. but if termination is required then i will have to look into configuring that first.

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: does server fail through require termination?

im not a 100% sure about my termination configuration. how would i set it up with two normal radius servers in the server group? will eventhough it is terminated on the controller the content of the request be forwarded to the radius server in the server group? how does the controller handle the certificate send by the radius server, does it trust any certificate?

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: does server fail through require termination?

[ Edited ]

Just the authentication is forwarded to the radius server.  The controller handles the EAP portion of the request.  All your clients in both domains need to trust the CA of the Controller's server certificate or the Controller Server Certificate specifically.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: does server fail through require termination?

that is clear cjoseph.

 

all this unfortunately doesnt bring me closer to my goal. i have a scenario where there in an old CA and a new CA and i want to for a while provide access for both on a single SSID without having to make changes on the clients.

 

is there for the server side any other way then to also load the old CA root cert on the new devices and keep using the server cert from the old CA until all old clients are gone and then switch?

 

and for the client side, is it possible to trust two CAs in the dot1x termination profile? i tried to put two root certs in a single file and load it but the controller only sees the first it seems, the principle of a bundle is misssing for me.

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: does server fail through require termination?

On the client side, if you have "Validate Server Certificate" checked, you would only have to have the Root Cert for the Server Certificate on the Controller in that list.  You could also easily distribute the CA cert to that trust list via group policy... http://technet.microsoft.com/en-us/library/cc738131(v=WS.10).aspx

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: does server fail through require termination?

sorry i meant server / client side on the controller.

 

with termination the aruba controller acts as the radius server for the wireless client, but as radius client towards the actual radius server right?

 

so what server certificate does it accept from the actual radius server? any or do i need to import the root CA of that server certificate?

 

and where the aruba controller acts as radius server, it accepts client certificates from the configured CA in the dot1x profile (with termination) right? is it possible to allow multiple CAs somehow?

Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: does server fail through require termination?

[ Edited ]

boneyard wrote:

sorry i meant server / client side on the controller.

 

with termination the aruba controller acts as the radius server for the wireless client, but as radius client towards the actual radius server right?  With termination on, the Aruba Controller does  the EAP termination and passes the radius authentication onto the radius server.  The only difference in than in a regular setup is that the controller presents the radius server certificate to the client (oversimplifying of course).

 

so what server certificate does it accept from the actual radius server? any or do i need to import the root CA of that server certificate?  The radius server does not participate in the certificate process when termination is on.  The controller presents its uploaded or factory radius server certificate to the client.

 

and where the aruba controller acts as radius server, it accepts client certificates from the configured CA in the dot1x profile (with termination) right? is it possible to allow multiple CAs somehow?  It is not possible to allow multiple CAs


You would do termination to move the computationally resource intensive process of EAP termination from the radius server to the controller.  You would also do this to provide fail-through for multiple radius servers.  The drawback of termination is that devices do not pass machine authentication when termination is enabled.  Please see the thread here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1262

 

Please also see questions answered about Fail-Through and termination here:  http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Radius-Fail-through-and-802-1x-Machine-Authentication/m-p/12186#M478

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: does server fail through require termination?

thanks again cjospeh i believe i now know almost all there is to know about termination i believe :)

 

was able to handle my scenario within NPS and not needing termination.

Search Airheads
Showing results for 
Search instead for 
Did you mean: