What is the allow-fail-through option used for?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


allow-fail-through: When this option is configured, an authentication failure with the first server in the group causes the controller to attempt authentication with the next server in the list. The controller attempts authentication with each server in the ordered list until either an authentication is successful or the list of servers in the group is exhausted.


For example, if the server-group "ArubaLab" has two servers configured, enabling allow-fail-through makes the controller check both the servers for authentication. This is especially helpful if one server is down.


aaa server-group "ArubaLab"

auth-server Server-1

auth-server Server-2


Note: If the databases for both the servers are identical, then there is no point in configuring 'allow-fail-through'.  It can even delay authentication time if "allow-fail-through" is checked and all servers point to the same database.


fail-over: Fail-over is always enabled. Fail-over means is that if the first auth-server is not reachable (time-out), the second server will be checked. That is the difference between fail-over and fail-through

Version history
Revision #:
2 of 2
Last update:
‎05-29-2016 11:09 AM
Updated by:
Labels (1)

I have problem with enable RADIUS fail-through for 802.1X authentication.

By uknown and not my concern we have 2 domains:



We don´t want to use Dot1X termination on the ONLYONE controller (yes we have just one for all).

We don´t have ClearPa$$ server, we use Just one NPS in one domain and other NPS in the other domain (help is welcome to proxy config by the way).

We want to use that example but seems like doesn´t works without "Dot1X termination" and/or something is missing.

Any help is welcome.


Search Airheads
Showing results for 
Search instead for 
Did you mean: