Please work with your Aruba partner to discuss your scenario. In general, you should not use fail through, except for the scenario that Colin mentioned and even in that case you should use radius servers that can either locally authenticate all users or forward the Radius to another server that can do that.
Just 'trowing' authentications to a bunch of Radius servers, and see 'what sticks' sounds like a mess and potential security nightmare.
If it is just for redundancy, try the local authentication server first, and fallback to a centralized in case the local server is unavailable, for that you don't need fail through. Having a proper authentication infrastructure (and design of it) is really important.
Don't enable termination 'because it doesn't work otherwise', you are very likely stepping in a long process of issues and troubleshooting.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 18, 2021 08:43 AM
From: mohamed gamal
Subject: Termination on Dot1x ssid
what type of certifacte
public or server or root certifacte
and how can check if this certifacte can be use or no
------------------------------
mohamed gamal
Original Message:
Sent: Nov 18, 2021 08:31 AM
From: Colin Joseph
Subject: Termination on Dot1x ssid
fail-through for radius servers is used for when you want to check user credentials on different radius servers like when two companies are merging and you want them to use a single SSID but authenticate to two different servers in a server group. If you simply want to load balance authentication between two radius servers for the same company, just use the load balance option, instead of fail through. Fail through requires putting a radius certificate on the controller and enabling termination.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Nov 18, 2021 07:08 AM
From: mohamed gamal
Subject: Termination on Dot1x ssid
We have MM-MC setup
2 MM into HQ
4 MC on another Branches
We have 3 SSID ( PSK, DOT1X, GUEST)
We configured server group and add 6 radius server.
1-when user connect to SSID dot1x can authenticate from radius server for this branch.
2-when can't authenticate from radius server to this branch and can authenticate from 2nd radius server ( we configured fail through on radius server)
and now we show alert on MM-Controller
(configuration failure fail through cant happen for dot1x without termination)
(internal server type is not supported without enabling dot1x termination )
-when enable termination on SSID dot1x all user can't connect to SSID dot 1x
So we disable termination and fail through.
And now user can connect again after disabling termination
------------------------------
mohamed gamal
------------------------------