Controllerless Networks

 View Only
last person joined: yesterday 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Termination on Dot1x ssid

This thread has been viewed 10 times
  • 1.  Termination on Dot1x ssid

    Posted Nov 18, 2021 07:09 AM

    We have MM-MC setup

    2 MM into HQ

    4 MC on another Branches

    We have 3 SSID ( PSK, DOT1X, GUEST)

    We configured server group and add 6 radius server.

    1-when user connect to SSID  dot1x  can authenticate from radius server for this branch.

    2-when can't authenticate from radius server to this branch and can authenticate from 2nd radius server ( we configured  fail through  on radius server)

    and now we show alert on MM-Controller

    (configuration failure fail through cant happen for dot1x without termination)

    (internal server type is not supported without enabling dot1x termination )

    -when enable   termination on SSID  dot1x  all user can't connect to SSID  dot 1x

    So we disable termination and fail through.

    And now user can connect again after disabling termination



    ------------------------------
    mohamed gamal
    ------------------------------



  • 2.  RE: Termination on Dot1x ssid

    Posted Nov 18, 2021 08:32 AM
    fail-through for radius servers is used for when you want to check user credentials on different radius servers like when two companies are merging and you want them to use a single SSID but authenticate to two different servers in a server group.  If you simply want to load balance authentication between two radius servers for the same company, just use the load balance option, instead of fail through.  Fail through requires putting a radius certificate on the controller and enabling termination.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Termination on Dot1x ssid

    Posted Nov 18, 2021 08:44 AM
    what type of certifacte 
    public or server or root certifacte
    and how can check if this certifacte can be use or no

    ------------------------------
    mohamed gamal
    ------------------------------



  • 4.  RE: Termination on Dot1x ssid

    Posted Nov 18, 2021 09:00 AM
    Please work with your Aruba partner to discuss your scenario. In general, you should not use fail through, except for the scenario that Colin mentioned and even in that case you should use radius servers that can either locally authenticate all users or forward the Radius to another server that can do that.

    Just 'trowing' authentications to a bunch of Radius servers, and see 'what sticks' sounds like a mess and potential security nightmare.

    If it is just for redundancy, try the local authentication server first, and fallback to a centralized in case the local server is unavailable, for that you don't need fail through. Having a proper authentication infrastructure (and design of it) is really important.

    Don't enable termination 'because it doesn't work otherwise', you are very likely stepping in a long process of issues and troubleshooting.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------