If I give a controller two or more radius servers to check authentication against and the account does not exist in the first server will it check the second server and then loop back to first server for next user.
Basically I have two disparate user databases and want to authenticate against both at the same time.
"If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on"
"The primary RADIUS server (the server with the lowest server index) is assumed to be the most preferable server for the controller. If the primary server becomes unresponsive, the controller switches to the next active backup server (the server with the next lowest server index). The controller continues to use this backup server forever, unless you configure the controller to fall back to the primary RADIUS server when it recovers and becomes responsive or to a more preferable server from the available backup servers."
The second statement is pretty clear and to the point but i'm hoping the first statement means that if the server is up and simply does not authenticate the user that it will loop around enabling me to use two disparate databases/servers simultaneously.
What WLC provides is a failover system between radius servers. So if the first server does not' reply, it tries the second.
If the username does not show up in the first radius server, that radius server will most probably send back a radius reject which means the WLC should not authenticate the user. The 2nd radius server will not be checked.
Some radius servers would allow customization and would then simply to answer if the user is not found, but even then .... This means that if one user is not found on the first radius server, the WLC will mark that server dead and won't try it until the 2nd WLC fails ...
The behavior you really want is to synchronize your 2 radius servers to share databases. THAT would have the effect you are looking for.
This explanation is true for other cisco devices like switches or routers. A radius-reject is an authentication failure, not a "try the next radius server".
That makes sense and is indeed the default behaviour of most RADIUS products, I guess I was hoping the controller could circumnavigate the default behaviour of RADIUS because I cant merge these two databases.
I wonder then why the controller (for web authentication) leaves you change the order for RADIUS, LDAP and, Local...
I could always query one of the databases using RADIUS and the other using LDAP, but if the first (say RADIUS) database does not contain the user and the the second (LDAP) will never be checked then why does the controller give you the option to change the order I wonder? I mean what's the point if the second won't be checked?
That order is different, it does act like you hope.
The idea there is "if Radius returns a reject, then maybe we have the user as local admin in the local database ?".
So yes you can have one database being radius and the other LDAP and the WLC will search both if the first one doesn't return a success.
This is the same behavior as IOS when you can define local as fallback for radius server for authentication. We just have ldap on top of it here.
In case one database in Radius one database in LDAP with different subsets of users.
RADIUS is used first and does not contain the user returns Reject or fail or whatever.
LDAP is used second and user passes authentication.
Next user starts with RADIUS again and goes through same process for each authentication request it receives.
The answer of the above mentioned question is, correct.
This document has been created from the below mentioned discussion:
Hello, I have a network with 350 Cisco 1810W access points that are connected to Cisco 3650 PoE switches. I have noticed that the APs are drawing almost the full 30W per port. I believe these APs should only be drawing 8 to ...
Hello all masters of Cisco, I have a Cisco Access point 1852i. I tried to upgrade it on several different ways, via HTTP, via CLI, even via Cisco.com. But I wasn't successful. On HTTP I got a message "Transfer failed". In CLI via TFTP nothing happene...
Hello!We have WLC 2504(airos 8.5.130 ) with mix of AP1832 and AP1702I. Clients report sometimes slow performance and lags.I start test today - sit in direct AP vision and start ping controller and gw. I see same issue. Delay jump from 2ms to 80 -150...
Hello, I am in a situation where I need to rename a huge number of APs which wouldn't be feasible from the GUI. I spent a lot of time trying and searching for a how-to but to no avail!The commands listed under 'ap' don't include a rename! Is the...
I work for an MSP and also do sales into some enterprise clients, I have a client with 4x 3602 APs and another 17x 3702 APs ready to be installed.A colleague of his told him he needs a wireless controller now, he wants to know if that is a requirement, or...