Wired Intelligent Edge

last person joined: an hour ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Wired authenticated via RADIUS - What happens if server is unreachable?

This thread has been viewed 18 times
  • 1.  Wired authenticated via RADIUS - What happens if server is unreachable?

    Posted 10 days ago
    Hello,

    Question regarding wired authentication via RADIUS.

    If the RADIUS server is unreachable due to a network outage upstream does the switch know or become 'aware' once it comes back online?  Is there an internal timer in which it retries?  I ask because in testing I've noticed that re-authentications are happening shortly (maybe 1-2 minutes) after the network connectivity is restored, and I'm not sure if these are the dead/retry timers at play here.

    What will happen if the RADIUS server is unreachable for several hours?  Will it retry once it becomes available?

    The main concern is in the event of a power outage, normally the router/gateway is the slowest device to boot back up, during which the RADIUS server is unreachable.  Will the switch retry once it becomes available?

    Thank you.

    ------------------------------
    Noble Network
    ------------------------------


  • 2.  RE: Wired authenticated via RADIUS - What happens if server is unreachable?

    Posted 9 days ago
    check the security user guide for the switch but you can use critical VLAN as an alternative VLAN authentication for a client when the remote authentication
    server is not reachable.

    you can also use RADIUS service tracking which determines the availability of RADIUS servers configured on the switch.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: Wired authenticated via RADIUS - What happens if server is unreachable?

    Posted 3 days ago
    For wired port authentication (802.1x) in AOS-CX, re-authentication is disabled by default, so if no new clients are accessing the network, then nothing shows happen to existing authenticated clients.

    If you enable re-authentication per interface:

    switch(config-if)# aaa authentication port-access dot1x authenticator reauth

    then the default timer is 3600 seconds/1 hour.

    RADIUS is not a stateful protocol, so unless the reauth timer for a particular port is expiring, the switch will have no idea if the RADIUS server is offline until it tries to authenticate a new user, or re-authenticate an existing user.

    To handle scenarios where the RADIUS server goes offline for long periods of time (eg: a maintenance window), you can configure a cached re-authentications, which allows the re-authentication process to succeed even when the RADIUS server is not responding.  The default for this is 30 seconds, but you'd probably want to set it to something much higher.

    Cheers,

    Ben


    ------------------------------
    Ben Dale
    ------------------------------