Our company has distributed network consisting of many sites, most of them use Aruba mobility controllers (master/local configuration). Configuration is performed globally, sites share SSIDs. Every site has 1-2 RADIUS servers. In Aruba configuration, all RADIUS servers are put into one server group. There is a natural desire for controller in every site to try using local RADIUS server (the one in same site) first, and then switch to remote servers if local ones are not available. However, since there is one global server group, mobility controllers try to contact RADIUS servers in same order. We can, of course, create separate server group for each location - but then we would need separate AAA profiles for each location and separate VAP profile for every SSID in every location, those greatly increasing configuration complexety and abandoning most benefits of centralized configuration.
At present, we prevent mobility controllers from contacting RADIUS servers in other sites by filtering out their RADIUS traffic on routers, those making controllers able to communicate only with local servers. A rather dirty solution.
So the question is - is there any way to do that somehow better? Something like "location-specific server groups", or ability to selectively override global configuration objects on local controllers? I'm not Aruba expert really, may be there is some simple answer.