1) I have an SSID set to do 802.1x authentication. Does the authentication happen before users are given an IP address by the DHCP server? Neither the DHCP nor the RADIUS servers are at the controller but are external.
2) What's the point of the fail-over option when adding multiple servers for RADIUS authentication? If I have more than one server listed there, does the user have to authenticate with ALL servers on the list before it can gain access to the network or just one of them? Does the "fail-over" option change this in any way?
Yes, 802.1x authentication takes place prior to DHCP.
Are you referring to the "fail-through" option in the server group settings? Fail-through means that if the authentication attempt fails on the first server, it will try the second, then the third, and so on, until it reaches the end of the list or the user passes authentication. This is helpful in several scenarios. Two that come to mind is in case the first RADIUS server fails (hardware/software failure) and the second is EDURoam.
Yes, I'm referring to the "fail-through" option in the server-group settings. What you've explained is what I thought it was but then in the User Guide it says:
"This feature is not supported for 802.1x authentication with a server group that consists of external EAPcompliantRADIUS servers. You can, however, use fail-through authentication when the 802.1xauthentication is terminated on the controller (AAA FastConnect)."
Does this mean that this option is meaningless if external RADIUS servers are being used? Does it mean that the user is not allowed until he is authenticated by all the servers listed?
What that's saying is that the cryptographic part of the session needs to stay on the controller, which is generally faster anyway. We terminate that part of the session, and then try the RADIUS servers in the backend until we succeed or run out of servers. The user needs to match one of the servers, if it fails we try the next one in the list.
Thanks very much awl and zjennings!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.