Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

two RAdius servers on a server group

  • 1.  two RAdius servers on a server group

    Posted Feb 13, 2012 07:18 PM

    Okay im using WPA2 enterprise for 802.1x authentication

    I got 2 radius servers so if one goes down well eh can still authenticate with the other one.

     

    I got radiusA and RadiusB

     

    One server group which have

    RadiusA first

    RadiusB second

     

    I though that if RAdiusA was unavaible it will send the request to radius B and well IT DOES but i get this message on radius B

    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

     

    Now if i put in the server group RAdiusB first then it authenticate correctly so it doesnt seems its the configuration in the RAdius servers...

     

    Any idea what could be causing this?



  • 2.  RE: two RAdius servers on a server group

    Posted Feb 13, 2012 08:16 PM

    @NightShade1 wrote:

    Okay im using WPA2 enterprise for 802.1x authentication

    I got 2 radius servers so if one goes down well eh can still authenticate with the other one.

     

    I got radiusA and RadiusB

     

    One server group which have

    RadiusA first

    RadiusB second

     

    I though that if RAdiusA was unavaible it will send the request to radius B and well IT DOES but i get this message on radius B

    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

     

    Now if i put in the server group RAdiusB first then it authenticate correctly so it doesnt seems its the configuration in the RAdius servers...

     

    Any idea what could be causing this?


    Make sure the remote access policies on server B matches what you have on server A.  Just merely switching the servers in a server group does not mean that the controller has resumed using a server that has been labelled "out of service".  Use the "show auth-tracebuf" command to accurately track which server is being used, when.

     

    If you take a server out of service, the controller does not use it anymore.  The exception is if you only have a single server in that server group; the Aruba controller does not take a server out of service if it is the single server in a server group.

     



  • 3.  RE: two RAdius servers on a server group

    Posted Feb 13, 2012 08:51 PM

    Hello Cjoseph

    Ill try using that command you just mention but i see logs on the radius2 when i disconnect radius1 telling me that error.

     

    But tell me something

    if i got 2 servers on the server group

    if the first one goes unavailable the second should be able to authenticate everyone? like a redundancy if the radius1 fail then the other automatically start athenticating users right?

     

     



  • 4.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 03:07 AM

    @NightShade1 wrote:

    Hello Cjoseph

    Ill try using that command you just mention but i see logs on the radius2 when i disconnect radius1 telling me that error.

     

    But tell me something

    if i got 2 servers on the server group

    if the first one goes unavailable the second should be able to authenticate everyone? like a redundancy if the radius1 fail then the other automatically start athenticating users right?

     

     



    Yes, the second one should be able to authenticate everyone.  Try to have ONLY the radius server with the problems in the server group, and make sure that one works by itself.

     



  • 5.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 08:27 AM

    Hello Cjoseph

    It does work

    Like i said up(must be my english which is not good)

    i got in the group radius1 and radius2

     

    radius1 is the first one in the group and radius2 is the second one

     

    ifi unplug radius1 network cable it becomes unavailible and it doesnt work i get this error on that radius 2 event viewer:

    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

     

    Now its not working okay? the radius1 is still unplug but i go to the Aruba controller go to the server group and put radius2 first in the group,  and after that it start authenticating correctly.

     

     



  • 6.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 08:32 AM
    We need the output of show auth-tracebuf when that is happening.


  • 7.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 09:46 AM

    okay cjoseph i ill get it for you as soon as i can.

    Cheers 



  • 8.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 10:23 AM

    Did you make sure that radius2 is configured to support PEAP authentication (certificate/etc)?  If you're getting the EAP message in the event viewer, I would re-verify your certificate ane PEAP configuration the radius server.

     

    -Mike



  • 9.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 10:36 AM

    Ill doublecheck that but remenber that it works if igot radius2 first in the list of the server group.... if its true what you said well i guess it wouldnt work even if i put it in the first place in the server group right? but it does work perfectly if its on the first place.



  • 10.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 02:03 PM

    So to recap what you have.

     

    - 2 radius server: radius1, radius2

    - one server group

     

    Scenarios:

    1. in server group, radius1 listed first then radius2 >> Authentication works.

    2. in server group, radius2 listed first then radius1 >> Authenticatino works.

    3. in server group, radius1 listed first then radius2; disconnect radius1 >> authentication fails/unsuccesful and you get the event log message about EAP issues.

    4. when you move radius2 above radius1, authentication works.

     

    Did you try with just having radius2 in the group?  It's weird it would work for scenario 4 but when it's in passthrough mode, it gives the EAP errors.

     

    -Mike



  • 11.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 03:02 PM

    Yes your recap is correct its whats happening here!

     

    I ll try just having radius2 in the group but i guess it will work fine... just like if i list it as the first server in the server group



  • 12.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 06:54 PM

    @NightShade1 wrote:

    Yes your recap is correct its whats happening here!

     

    I ll try just having radius2 in the group but i guess it will work fine... just like if i list it as the first server in the server group


    No, it is NOT the same thing.  Please try it in a group by itself.

     

    Even better, do a AAA test server, by going to the Diagnostics Tab on the controller and doing a test authentication to the server with the problem.

     



  • 13.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 07:03 PM

    okay cjoseph

    ill try it in the group itselft

    ill try this on thursday, any other test that need to be run?

     

    I can tell you i did try the AAA test server on Radius2 as you can select with which you want to run the test and it was succesfully the test. 



  • 14.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 07:08 PM

    Great

     

    That means you need to examine the Certificate that is in the Remote Access Policy under Constraints> Authentication Method, EAP-PEAP or MSCHAPv2 on Radius2, then.



  • 15.  RE: two RAdius servers on a server group

    Posted Feb 14, 2012 07:09 PM

    Okay cjoseph ill check on that.

     

    ill bring the results on thursday

     

    Cheers and thanks everyone for asnwering!!

     

     



  • 16.  RE: two RAdius servers on a server group

    Posted Feb 16, 2012 02:31 PM

    Hello Everyone

    I just finished testing everything

    The thing was working fine all the time but i noticed the fallowing things

     

    1- it doesnt take 5 secs so the WC knows the Server is down it seems it get notice its down when a client tries to connect and then he ask the other server

    2- Before when the client was trying to prove it was working he was turning off the wireless card so the WC didnt know he was down until the times out came out and for some reason when we were trying to connnect it again it keep asking the Radius1

    3-When we properly disconnected it and the aruba knows the client was down we tried to connect it, it keep asking to radius1 even if it was down then like 2 mins after that it wiill ask radius2.

    4-When the radius1 is down it takes 10 mins for him to take him out of the out of service as the default timer said so.  So he will keep sending the request to radius2 even if radius1 is up again.

     

    In conclusion the commnand that cjoseph told me made me realize what was happening

    When we were testing it, we just disconect the wireless and tried asap instead waiting for a few... when we saw it didnt connect we just though it wasnt working....

     

    Thanks everyone for asnwering!