You should probably install the same RADIUS certificate on all of your RADIUS servers is by far the easiest solution. It will avoid many pitfalls around the redundancy as with the same certificate everywhere, the client will see the same whichever server is selected for authentication.
You can pick a simple name, like radius.yourdomain, and preferred is to get the certificate from your internal CA so you can control lifetime (multi-year, public only can go up to 1 year) and renewal (it happens quite often that root CAs change, and you can't get a renewed cert from the same CA, and then are forced to touch all of your clients to trust a new root CA).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 23, 2021 07:28 PM
From: amr shawky
Subject: MM-MC setup with Dot1x multiple Servers
Thanks cjoseph
Server group has 3 raduis and atached to AAA , Certificated uploaded to MC and Attched also to same AAA
From server side --> If the 3 server use 3 deffernt Certificate ? Is it applicable to make termination with failthrouth ? Or must use same certifiacte
Forget fail-through: It is when you have multiple radius servers that all have different databases. It is not a common deployment.
How to achive termintation and redundancy in dot1x without Termination and failthrought ?
As i know fail th. must be configured with Termination //
------------------------------
amr shawky
Original Message:
Sent: Nov 23, 2021 12:59 PM
From: Colin Joseph
Subject: MM-MC setup with Dot1x multiple Servers
Each radius server requires a certificate. You could enable termination on the controller so that you only need a certificate on the controller, but some things, like machine authentication do not work; I would avoid that.
If you have 3 radius servers in a group by default the first one will be chosen always until it is unreachable. If the first is unreachable, the second one will be chosen always until it is unreachable.
If you enable load-balance in the server group, each server will be chosen randomly and by latency. This by far is the most common deployment.
Forget fail-through: It is when you have multiple radius servers that all have different databases. It is not a common deployment.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Nov 23, 2021 11:39 AM
From: amr shawky
Subject: MM-MC setup with Dot1x multiple Servers
We have MM-MC Setup AOS8.7
MCs in sites that contais AP // each sites has AP s and its MC
All managed by HQ
we have 3 raduis server (1 raduis server in each site)
we need to make rundundancy authentication when 1 server goes down go to second one if down go to 3rd one
We have the reachbility in all sites (L3)
We add the 3 servers in Server-group called (Raduis-SG) , and attched it to all out SSID and AAA
so the question here
1-Does we need the certificate or we can move without it (we need to enable the termination and failthrouth as its manadort as i think)
2-If each server has its certificate , So can we add more that certificate or just one in AAA // How to achive this requments if each Rdauis server has its certificate
------------------------------
amr shawky
------------------------------