What is dynamic radius proxy and related settings in authentication server configuration of IAP?

By ssasi Unpublished


Environment  :  This article applies to Aruba Instant Access Points.


In a distributed architecture, each AP functions as a RADIUS authenticator for its clients, which means that you must configure each AP as a RADIUS client on the authentication server. However, adding all APs as NAS clients to a RADIUS server might not always be feasible.

The dynamic RADIUS proxy (DRP) feature of Aruba Instant provides an alternative to adding all APs as NAS clients. When DRP is enabled, the master AP becomes a single anchor for RADIUS requests for all users on an Aruba Instant cluster, regardless of the AP to which a user connects. The master AP acts as the RADIUS proxy for all RADIUS transactions in an Aruba Instant cluster. When DRP is enabled, all RADIUS packets that originate form an Aruba Instant cluster are sourced with the virtual controller (VC) IP address that is assigned to the cluster. The advantage with this model, is you only need to add the VC IP address to the RADIUS client list on the authentication server.






Using the VC IP address for RADIUS transactions works well in most environments, but in certain situations the RADIUS server might be on a network or VLAN that cannot be reached from the AP VLAN.

For such situations, Instant lets you define a DRP VLAN, IP address, and subnet on a per-RADIUS server basis. This capability allows network administrators to define the VLAN and source IP address for transactions for a specific RADIUS server. If DRP is enabled and if the RADIUS server on an Aruba Instant network does not include the DRP VLAN and IP configuration for a RADIUS sever, the transactions with that RADIUS server are sourced with the default VC IP address and VLAN.


rtaImage 2.jpg