Enabling Authentication Server Load Balancing Functionality

Aruba Employee
Aruba Employee

Introduction :


Load balancing of authentication servers ensures that the authentication load is split across multiple authentication servers, thus avoiding any one particular authentication server from being overloaded. Authentication Server Load Balancing functionality enables the Aruba Mobility Controller to perform load balancing of authentication requests destined to external authentication servers (Radius/LDAP etc). This prevents any one authentication server from having to handle the full load during heavy authentication periods, such as at the start of the business day.


Feature Notes :


Earlier, the controller used the first authentication server in the server group list. The remaining servers in that server group will be used in sequential order only when an authentication server is down. Thus, the controllers performed fail-over and not load balancing of authentication servers.

The load balancing algorithm computes the expected time taken to authenticate a new client for each authentication server and chooses that authentication server for which the expected authentication time is least. The load balancing algorithm maintains re-authentication stickiness i.e. at the time of re-authentication the request will be forwarded to the same server where it was authenticated earlier.



Environment : Aruba controller with Multiple Authentication servers


Configuration Steps :


Starting from AOS 6.4 image version, a new load–balancing enable parameter has been introduced in aaa server-group test command to enable authentication server load balancing functionality.

To Enable the Feature:

aaa server-group <sg_name>
load-balance   <-- This is the new Feature got added starting from 6.4 image version
auth-server s1
auth-server s2

To Disable the Feature:

You can use the following command to disable load balancing:
aaa server-group<sg_name>
no load-balance

If you configure internal server in the server group, load balancing is not applicable to the internal server. Internal server will be used as fall back when all the other servers in the server group are down.



Verification :


show aaa load-balance statistics server-group <sg_name>

(host) #show aaa load-balance statistics server-group dot1x-test-apsim
Statistics for Radius Servers in Server Group
Server Acct Rq Raw Rq PAP Rq CHAP Rq MSCHAP Rq MSCHAPv2 Rq Mismatch Rsp Bad Aut
h Acc Rej Acct Rsp Chal Ukn Rsp Tmout Tot Rq Tot Rsp Rd Err Outstanding Auths
------ ------- ------ ------ ------- --------- ----------- ------------ -------
- --- --- -------- ---- ------- ----- ------ ------- ------ -----------------
abc _RADIUS 0 0 0 0 0 26 0 0
26 0 0 0 0 0 26 26 0 0
AUTOMATIONRAD 0 0 0 0 0 207 0 0
207 0 0 0 0 0 207 207 0 0
Troubleshooting :
Parameter Description:
Server: Name of the RADIUS server.

Acct Rq Accounting requests: This reports of the number of accounting messages (for example, start/stop/interim update) sent by the controller to a RADIUS server. This counter increments whenever the controller sends one of these messages.
Raw Rq Raw requests: Number of raw authentication requests the controller sent to a RADIUS server.
PAP Rq Pap Requests:  Number of PAP authentication requests the controller sent to a RADIUS server.
CHAP Rq CHAP requests: Number of CHAP authentication requests the controller sent to a RADIUS server.
MSCHAP Rq MSCHAP requests: Number of MS-CHAP authentication requests the controller sent to a RADIUS server.
MSCHAPv2 Rq MSCHAPv2 requests: Number of MS-CHAPv2 requests the controller sent to a RADIUS server.
Mismatch Rsp Mismatch responses: Number of responses from a RADIUS server for which the controller does not have the proper request context.
Bad Auth Bad authenticator: Number of responses from the RADIUS server with an invalid secret or bad reply digest.

Acc Access accept. Number of responses from the RADIUS server with invalid secret or bad reply digest.
Rej Access reject. Number of responses from the RADIUS server that indicate that client authentication failed.
Acct Rsp Accounting response. Number of responses sent from the RADIUS server in response to accounting requests sent from the controller.
Chal Access challenge. Number of responses from the RADIUS server containing a challenge for the client (to complete authentication).
Ukn Rsp Unknown Response code. Number of responses from the RADIUS server that were not understood by the controller due to the purpose or type of the response

Tmout Timeouts. Number of messages sent by the controller for which the controller did not receive a response before the message timed out.
NOTE: Timeouts include RADIUS accounting requests. Every request controller sends to the RADIUS server is monitored for a timeout, so each retry increments this counter.
AvgRspTme Average response time. Time taken, on an average, for the RADIUS server to respond to a message from the controller.
Tot Rq Total errors. This counter reflects the total number of requests sent to the RADIUS server (auth and accounting requests).
Tot Rsp This counter reflects the total number of responses received by the RADIUS server (auth and accounting responses).
Rd Err Read errors. This counter reflects the total number of errors encountered while reading off socket corresponding to that RADIUS server.
Uptime Amount of for which the RADIUS server has been active/up. The RADIUS server is considered to have an UP status if the server is active and serving requests.
The RADIUS server is considered to be DOWN if the server is not responding. For example, if the RADIUS server does not respond for (<no of retries> *< timeout>) seconds, the controller takes the RADIUS server down. It brings the radius server back into service after the dead timeout. SEQ Information corresponding to the sequence number of requests. SEQ total corresponds to the total number of sequence numbers that can be used to communicate with the RADIUS server. SEQ free corresponds to the free/available/not
in use sequence numbers for a particular RADIUS server.
Outstanding Auths This value keeps track of the number of clients that are currently getting authenticated against this authentication server, i.e. clients for which the controller has
sent Access-Request but has not yet received Access-Accept or Access-Reject and also the Access-Request has not timed out completely.



Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 02:10 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: