Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

AOS Switch RADIUS Failover behaviour

This thread has been viewed 7 times

  • 1.  AOS Switch RADIUS Failover behaviour

    Posted Jan 16, 2019 03:19 AM

    Hi Airheads

     

    We have a weird issue. We mostly have two clearpasses as radius server. We thought the switch failovers if one is not reachable. But for example we configured an unreachable IP address as radius server (primary & secondary) but the switch still marked both hosts as reachable. So how could that happen? How is the AOS Switch checking the reachability? I already did a packet capture to see if there are any icmp or generic radius requests.

     

    According to the Access Security Guide when you have at least two radius server configured the switch goes to the secondary server insofar the the primary is dead. What about the secondary?

    radius-1.jpg

     

    We also know there's a feature for tracking the servers by radius request that is sent from the switch in a specific interval. This feature works great and the minimum interval is 60s. Is this the way to go? Best practice? Because the default feature of failovering is unusable so far.

     

    Unfortunately I didn't get an answer from techhub and our local HPE team so far.

     

    Thanks and Greets

    Marc



  • 2.  RE: AOS Switch RADIUS Failover behaviour

    Posted Jul 30, 2019 10:55 AM

    I prefer the radius server tracking, because it actually tests to see if the radius server responses (radius-reject). The default failover mechanism is not very acurate and i have seen it forward traffic even when the radius service isn't started yet.

     

    Do you use the ClearPass VIP adress as radius server IP from your NAD devices?