wlc with multiple radius servers

Hey All,

I've installed a second Cisco ACS server for redundancy on our WPA2/AES/802.1X wlan and I was wondering how this will affect user connections. I have 2 ACS's with 2 different certificates and they are setup as radius 1 and 2 under this specific wlan. I'm concerned that when a user connects and authenticates to ACS1 and then later on roams or reauthenticated due to some timer that they'll hit ACS2 and the client won't have an existing session built and fail.

1. Can someone elaborate on when the 2nd radius server gets used. round robin or only when ACS 1 is unresponsive/failed user login.

2. Is there a better way to work with this senario? i.e. 1 cert (e.g) and put the acs's behind a load balancer?

3. Can I get the load balance affect with just the wlc's and the ACS's?

I'm just trying to verifiy a few things before I go live with it.



1. No round robin. The WLC will only flip to the next radius server when the radius server doesn't respond. We have seen issues where the radius server services go down and user auth fails BUT it still responds to the WLC so the WLC doesn't flip to the next one.

2. You can put a load balancer in front for the cert. If you don't, you could get the vaidlate this cert window on some clients like macs and i devices. They will need to validate each cert once before connecting when authing to the radius. They wont be asked again, unless they forget the network and reconnect.

As for roaming. Once a client authenticates the first time a MSK is generated. Its used for seeding material for the PMK key. The PMK key is moved from the radius server to the WLC. This is a session thing. When a client roams from ap to ap or across controller the PMK key is moved with him. This is assuming the client supports OKC.

Hope this helps ..

