Wired Intelligent Edge

 View Only
last person joined: 17 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Wired authenticated via RADIUS - What happens if server is unreachable?

This thread has been viewed 23 times

  • 1.  Wired authenticated via RADIUS - What happens if server is unreachable?

    Posted Sep 14, 2021 04:54 PM
    Hello,

    Question regarding wired authentication via RADIUS.

    If the RADIUS server is unreachable due to a network outage upstream does the switch know or become 'aware' once it comes back online?  Is there an internal timer in which it retries?  I ask because in testing I've noticed that re-authentications are happening shortly (maybe 1-2 minutes) after the network connectivity is restored, and I'm not sure if these are the dead/retry timers at play here.

    What will happen if the RADIUS server is unreachable for several hours?  Will it retry once it becomes available?

    The main concern is in the event of a power outage, normally the router/gateway is the slowest device to boot back up, during which the RADIUS server is unreachable.  Will the switch retry once it becomes available?

    Thank you.

    ------------------------------
    Noble Network
    ------------------------------


  • 2.  RE: Wired authenticated via RADIUS - What happens if server is unreachable?

    EMPLOYEE
    Posted Sep 14, 2021 08:37 PM
    check the security user guide for the switch but you can use critical VLAN as an alternative VLAN authentication for a client when the remote authentication
    server is not reachable.

    you can also use RADIUS service tracking which determines the availability of RADIUS servers configured on the switch.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Wired authenticated via RADIUS - What happens if server is unreachable?

    Posted Sep 21, 2021 12:14 PM
    For wired port authentication (802.1x) in AOS-CX, re-authentication is disabled by default, so if no new clients are accessing the network, then nothing shows happen to existing authenticated clients.

    If you enable re-authentication per interface:

    switch(config-if)# aaa authentication port-access dot1x authenticator reauth

    then the default timer is 3600 seconds/1 hour.

    RADIUS is not a stateful protocol, so unless the reauth timer for a particular port is expiring, the switch will have no idea if the RADIUS server is offline until it tries to authenticate a new user, or re-authenticate an existing user.

    To handle scenarios where the RADIUS server goes offline for long periods of time (eg: a maintenance window), you can configure a cached re-authentications, which allows the re-authentication process to succeed even when the RADIUS server is not responding.  The default for this is 30 seconds, but you'd probably want to set it to something much higher.

    Cheers,

    Ben


    ------------------------------
    Ben Dale
    ------------------------------

    Original Message