Security

Assuming this is about ClearPass...

If you have multiple AD servers in one Authentication Source, ClearPass will try the first, and if it's not responding within the time configured, it will use the second, and so on. So just one LDAP (AD) server will be used under normal circumstances, the backups are just used if the higher ranked servers are not reachable/responding. A non-responding server will be marked down for 2 minutes, and not tested during that time.

If you have multiple Authentication Sources in your service, ClearPass will try them in order until the username is found in one. If the user is not available in the authentication source, it will continue with the next source and try again. Once the username is found, ClearPass will perform the authentication/authorization, and respond whatever is found there and stop further processing.

2 Minutes wait time is a default value ? whether we can view the time configuration anywhere in clearpass

In Active Directory we have configured time out value as 10 sec - what is the use of it ?

Also, if we add 2 backup AD server under one  AD authentication server , whether it will bring any changes in the authentication flow instead of adding all three ias separate AD severs in authentication source.

Assuming this is about ClearPass...

If you have multiple AD servers in one Authentication Source, ClearPass will try the first, and if it's not responding within the time configured, it will use the second, and so on. So just one LDAP (AD) server will be used under normal circumstances, the backups are just used if the higher ranked servers are not reachable/responding. A non-responding server will be marked down for 2 minutes, and not tested during that time.

If you have multiple Authentication Sources in your service, ClearPass will try them in order until the username is found in one. If the user is not available in the authentication source, it will continue with the next source and try again. Once the username is found, ClearPass will perform the authentication/authorization, and respond whatever is found there and stop further processing.

The 10 second timeout controls that if the AD server takes more time than that to respond, ClearPass will go to the next backup server in the same authentication source. That 2 minutes is the retry timeout, and it's not configurable as far as I know, but once ClearPass has marked a server down (as it did not respond within the 10 seconds, or other configured timeout in the Authentication Source).

If you have AD servers for the same domain, you should probably add them in the same authentication source. Otherwise you would need to check authorization, like group membership, in each of them.

Example with Authentication Source for AD with primary dc1 and backups dc2 and dc3; your role mapping based on groups would then be Authentication[AD] Groups EQUALS Domain Admins => Role;

When 3 different authentication sources dc1, dc2, dc3, the same would be: Authentication[dc1] Groups EQUALS Domain Admins OR  Authentication[dc2] Groups EQUALS Domain Admins OR Authentication[dc3] Groups EQUALS Domain Admins => Role

I would use different Authentication Sources for servers that have different information.

2 Minutes wait time is a default value ? whether we can view the time configuration anywhere in clearpass

In Active Directory we have configured time out value as 10 sec - what is the use of it ?

Also, if we add 2 backup AD server under one  AD authentication server , whether it will bring any changes in the authentication flow instead of adding all three ias separate AD severs in authentication source.

Assuming this is about ClearPass...

If you have multiple AD servers in one Authentication Source, ClearPass will try the first, and if it's not responding within the time configured, it will use the second, and so on. So just one LDAP (AD) server will be used under normal circumstances, the backups are just used if the higher ranked servers are not reachable/responding. A non-responding server will be marked down for 2 minutes, and not tested during that time.

If you have multiple Authentication Sources in your service, ClearPass will try them in order until the username is found in one. If the user is not available in the authentication source, it will continue with the next source and try again. Once the username is found, ClearPass will perform the authentication/authorization, and respond whatever is found there and stop further processing.