Wireless Access

Contributor II

RADIUS before DHCP and failover

Two questions:


1) I have an SSID set to do 802.1x authentication. Does the authentication happen before users are given an IP address by the DHCP server? Neither the DHCP nor the RADIUS servers are at the controller but are external.


2) What's the point of the fail-over option when adding multiple servers for RADIUS authentication? If I have more than one server listed there, does the user have to authenticate with ALL servers on the list before it can gain access to the network or just one of them? Does the "fail-over" option change this in any way?



Aruba Employee

Re: RADIUS before DHCP and failover

Yes, 802.1x authentication takes place prior to DHCP.


Are you referring to the "fail-through" option in the server group settings? Fail-through means that if the authentication attempt fails on the first server, it will try the second, then the third, and so on, until it reaches the end of the list or the user passes authentication. This is helpful in several scenarios. Two that come to mind is in case the first RADIUS server fails (hardware/software failure) and the second is EDURoam.


Zach Jennings
Contributor II

Re: RADIUS before DHCP and failover

Yes, I'm referring to the "fail-through" option in the server-group settings. What you've explained is what I thought it was but then in the User Guide it says:


"This feature is not supported for 802.1x authentication with a server group that consists of external EAPcompliant
RADIUS servers. You can, however, use fail-through authentication when the 802.1x
authentication is terminated on the controller (AAA FastConnect)."



Does this mean that this option is meaningless if external RADIUS servers are being used? Does it mean that the user is not allowed until he is authenticated by all the servers listed?

Aruba Employee
Aruba Employee

Re: RADIUS before DHCP and failover

What that's saying is that the cryptographic part of the session needs to stay on the controller, which is generally faster anyway. We terminate that part of the session, and then try the RADIUS servers in the backend until we succeed or run out of servers. The user needs to match one of the servers, if it fails we try the next one in the list.



Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Contributor II

Re: RADIUS before DHCP and failover

Thanks very much awl and zjennings!

Search Airheads
Showing results for 
Search instead for 
Did you mean: