Wireless Access

Hi Guys,

 

I have an interesting little problem, I have a radius failover group against a wireless profile, and everything is working well...until...

Here comes the back story...

 

Our servers are scheduled to run any outstanding updates and reboot every Saturday night.

However when the radius servers reboot, they get flagged as offline by the Aruba Controller;  so when all our users return on a Monday morning all hell breaks loose because nobody is getting authenticated against the wireless SSID.

 

So I thought I’d play it smart and stagger the radius server reboots giving the controller time to recognise that the first server that went offline is now back, and then reboot the second.

 

However it seems once the controller has deemed the radius server(s) offline it doesn’t bother to recheck for its return and so when the second one goes down for a reboot - we effectively have no radius authentication until we reboot both Aruba Controllers.

 

 

I’m hoping that there is a setting that can be applied to tell the controller to keep retrying the radius server it has flagged as offline, to return it back to the online status once the reboot has completed.

Any help would be great fully received.

 

Many thanks,

 

Do you have fail through enabled ?

You should have more than one server in your list, check box for fail through checked?

Version of code? 

Are you terminating on the controller or the RADIUS server?

Sorry for the late response guys.

 

Ok so I have two radius servers in the profile and Fail Through is ticked.

 

I have proven that Fail Through is working; If I kill one of the radius servers, the controller starts to use the other - perfect; However; the controller never re-establishes that the server that went offline has come back online. It mains flagged as offline.

 

The problem I have is, when both of the servers reboot on the weekend the controller marks them both as offline and doesn't change them back to online until I reboot the controller.

 

It would appear that the controller is not trying to re-establish a link with the radius servers once it has flagged them as offline.

With Fail through not checked:
They request is send to service 1 in the list if server one does not respond then it will send the request to server 2.

With fail through checked:
request is sent to server 1 if server one sends a reject then the request will get sent to server 2. If server one sends an accept then you have access if server 1 doesn’t respond then the request is send to server 2.

As cappalli asked before where is termination happening? Controller or the Radius server?

When you see that server 1 is not responding are you able to send a diagnostic test to confirm that the server is responding?
What code version?

Hi,

 

Again many appologies for the late reply.

 

Im not sure I understand the question regarding "termination" nor "code version" if you could layman's term it for me that would be great. :smileysad:

 

The radius server's are not responding to the controllers at all once the servers have rebooted. The request times out from the controler diagnostics page. No logs or hits at the Radius end from the controllers at all.

 

At the same time as timing out for the controllers, the same radius servers are responding to other requests from other devices such as dynamic vlan tagging for wired devices.

 

Once the controllers are rebooted - everything starts to work again.

---

@7cups wrote:

Hi,

 

Again many appologies for the late reply.

 

Im not sure I understand the question regarding "termination" nor "code version" if you could layman's term it for me that would be great. :smileysad:

 

The radius server's are not responding to the controllers at all once the servers have rebooted. The request times out from the controler diagnostics page. No logs or hits at the Radius end from the controllers at all.

 

At the same time as timing out for the controllers, the same radius servers are responding to other requests from other devices such as dynamic vlan tagging for wired devices.

 

Once the controllers are rebooted - everything starts to work again.

---

7Cups:

 

- Uncheck Failthrough, because it does not apply to your current situation.  The purpose of failthrough is when you have servers from different domains and you want to check them both when an authentication comes in.  Unchecking failthrough improves your performance by not forcing the controller to check both servers all the time.

- If you have two servers in a server group, the first server will be used until it is unavailable, and then the second one will be used

- If you have two servers in a server group, both cannot be marked down at one time.  If the first one is marked down, it will continue to use the second one indefinitely, so that you are not put into a bind.

- It should periodically check to see if the first one is back and use that one eventually.

 

Hi CJ,

 

I'll uncheck failthrough now and see how we go.

Looks like ive been miss informed by our suport agency.

 

Many thanks,

 

---

@7cups wrote:

Hi CJ,

 

I'll uncheck failthrough now and see how we go.

Looks like ive been miss informed by our suport agency.

 

Many thanks,

 

---

7Cups,

 

I only mentioned a single non-invasive idea on how to possibly deal with a single issue.  From your posts, you probably have other issues that need to be defined and fixed.  Please email TAC at support@arubanetworks.com and determine your status.

 

Thanks CJ,

 

I've droped them an email as per your suggestion.

 

Regards,

Does IAPs support failthrough?

please don't ask new questions on old threads and please use the correct location, which in this case would be the IAP section.

 

as for your question, no IAPs don't support fail through. they can support two radius servers, but that is for load balancing or redudancy.