Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

MM-MC setup with Dot1x multiple Servers

This thread has been viewed 22 times
  • 1.  MM-MC setup with Dot1x multiple Servers

    Posted 10 days ago
    We have MM-MC Setup AOS8.7
    MCs in sites that contais AP // each sites has AP s and its MC 
    All managed by HQ

    we have 3 raduis server (1 raduis server in each site)
    we need to make rundundancy authentication when 1 server goes down go to second one if down go to 3rd one 
    We have the reachbility in all sites (L3) 
    We add the 3 servers in Server-group called (Raduis-SG) , and attched it to all out SSID and AAA

    so the question here 

    1-Does we need the certificate or we can move without it (we need to enable the termination and failthrouth as its manadort as i think)
    2-If each server has its certificate , So can we add more that certificate or just one in AAA // How to achive this requments if each Rdauis server has its certificate 


    ------------------------------
    amr shawky
    ------------------------------


  • 2.  RE: MM-MC setup with Dot1x multiple Servers

    Posted 10 days ago
    Each radius server requires a certificate.  You could enable termination on the controller so that you only need a certificate on the controller, but some things, like machine authentication do not work; I would avoid that.

    If you have 3 radius servers in a group by default the first one will be chosen always until it is unreachable.  If the first is unreachable, the second one will be chosen always until it is unreachable.

    If you enable load-balance in the server group, each server will be chosen randomly and by latency.  This by far is the most common deployment.

    Forget fail-through:  It is when you have multiple radius servers that all have different databases.  It is not a common deployment.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: MM-MC setup with Dot1x multiple Servers

    Posted 9 days ago
    Thanks cjoseph

    Server group has 3 raduis and atached to AAA , Certificated uploaded to MC and Attched also to same AAA

    From server side --> If the 3 server use 3 deffernt Certificate ? Is it applicable to make termination with failthrouth ? Or must use same certifiacte 


    Forget fail-through:  It is when you have multiple radius servers that all have different databases.  It is not a common deployment.

    How to achive termintation and redundancy in dot1x without Termination and failthrought ?

    As i know fail th. must be configured with Termination //

    ------------------------------
    amr shawky
    ------------------------------



  • 4.  RE: MM-MC setup with Dot1x multiple Servers

    Posted 9 days ago
    Only your radius servers require certificates, not the mobility controller for radius authentication.

    The certificates on your radius servers  are only important to clients, NOT the mobility controller.  The controller passes the radius requests from the client to the radius server(s).  The clients must either trust the radius server certificate or the certificate authority that issued the radius server certificate.

    Please forget termination and fail-through: those features were developed in the past when people did not have easy access to radius servers and only had LDAP servers.

    Having radius servers in a server group provides redundancy automatically.  Enabling load balancing means that all servers will be used for authentication.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: MM-MC setup with Dot1x multiple Servers

    Posted 8 days ago
    You should probably install the same RADIUS certificate on all of your RADIUS servers is by far the easiest solution. It will avoid many pitfalls around the redundancy as with the same certificate everywhere, the client will see the same whichever server is selected for authentication.

    You can pick a simple name, like radius.yourdomain, and preferred is to get the certificate from your internal CA so you can control lifetime (multi-year, public only can go up to 1 year) and renewal (it happens quite often that root CAs change, and you can't get a renewed cert from the same CA, and then are forced to touch all of your clients to trust a new root CA).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------