Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

RADIUS before DHCP and failover

Jump to Best Answer
  • 1.  RADIUS before DHCP and failover

    Posted Jan 05, 2012 12:45 PM

    Two questions:

     

    1) I have an SSID set to do 802.1x authentication. Does the authentication happen before users are given an IP address by the DHCP server? Neither the DHCP nor the RADIUS servers are at the controller but are external.

     

    2) What's the point of the fail-over option when adding multiple servers for RADIUS authentication? If I have more than one server listed there, does the user have to authenticate with ALL servers on the list before it can gain access to the network or just one of them? Does the "fail-over" option change this in any way?

     

    Thanks!



  • 2.  RE: RADIUS before DHCP and failover
    Best Answer

    Posted Jan 05, 2012 12:51 PM

    Yes, 802.1x authentication takes place prior to DHCP.

     

    Are you referring to the "fail-through" option in the server group settings? Fail-through means that if the authentication attempt fails on the first server, it will try the second, then the third, and so on, until it reaches the end of the list or the user passes authentication. This is helpful in several scenarios. Two that come to mind is in case the first RADIUS server fails (hardware/software failure) and the second is EDURoam.



  • 3.  RE: RADIUS before DHCP and failover
    Best Answer

    Posted Jan 05, 2012 01:01 PM

    Yes, I'm referring to the "fail-through" option in the server-group settings. What you've explained is what I thought it was but then in the User Guide it says:

     

    "This feature is not supported for 802.1x authentication with a server group that consists of external EAPcompliant
    RADIUS servers. You can, however, use fail-through authentication when the 802.1x
    authentication is terminated on the controller (AAA FastConnect)."

     

     

    Does this mean that this option is meaningless if external RADIUS servers are being used? Does it mean that the user is not allowed until he is authenticated by all the servers listed?



  • 4.  RE: RADIUS before DHCP and failover
    Best Answer

    Posted Jan 05, 2012 02:09 PM

    What that's saying is that the cryptographic part of the session needs to stay on the controller, which is generally faster anyway. We terminate that part of the session, and then try the RADIUS servers in the backend until we succeed or run out of servers. The user needs to match one of the servers, if it fails we try the next one in the list.

     

    -awl



  • 5.  RE: RADIUS before DHCP and failover

    Posted Jan 05, 2012 02:27 PM

    Thanks very much awl and zjennings!