cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4628
Views
5
Helpful
0
Comments
Vinay Sharma
Level 7
Level 7

 

Question 1

In this scenario user mentioned that:

If I give a controller two or more radius servers to check  authentication against and the account does not exist in the first server will it check the second server and then loop back to first server for next user.

Basically I have two disparate user databases and want to authenticate against both at the same time.

From- http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1040067

"If you configure multiple servers of the same type  and the first one fails or becomes unreachable, the controller  automatically tries the second one, then the third one if necessary, and  so on"

"The primary RADIUS server (the server with the  lowest server index) is assumed to be the most preferable server for the  controller. If the primary server becomes unresponsive, the controller  switches to the next active backup server (the server with the next  lowest server index). The controller continues to use this backup server  forever, unless you configure the controller to fall back to the  primary RADIUS server when it recovers and becomes responsive or to a  more preferable server from the available backup servers."

The second statement is pretty clear and to the point but i'm hoping the first statement means that if the server is up and simply does not authenticate the user that it will loop around enabling me to use two disparate databases/servers simultaneously.

Answer

What WLC provides is a failover system between radius servers. So if the first server does not' reply, it tries the second.

If the username does not show up in the first radius server, that radius server will most probably send back a radius reject which means the WLC should not authenticate the user. The 2nd radius server will not be checked.

Some radius servers would allow customization and would then simply to answer if the user is not found, but even then .... This means that if one user is not found on the first radius server, the WLC will mark that server dead and won't try it until the 2nd WLC fails ...

The behavior you really want is to synchronize your 2 radius servers to share databases. THAT would have the effect you are looking for.

This explanation is true for other cisco devices like switches or routers. A radius-reject is an authentication failure, not a "try the next radius server".

Question 2

That makes sense and is indeed the default behaviour of most RADIUS products, I guess I was hoping the controller could circumnavigate the default behaviour of RADIUS because I cant merge these two databases.

I wonder then why the controller (for web authentication) leaves you change the order for RADIUS, LDAP and, Local...

I could always query one of the databases using RADIUS and the other using LDAP, but if the first (say RADIUS) database does not contain the user and the the second (LDAP) will never be checked then why does the controller give you the option to change the order I wonder? I mean what's the point if the second won't be checked?

 

Answer 2

That order is different, it does act like you hope.

The idea there is "if Radius returns a reject, then maybe we have the user as local admin in the local database ?".

So yes you can have one database being radius and the other LDAP and the WLC will search both if the first one doesn't return a success.

This is the same behavior as IOS when you can define local as fallback for radius server for authentication. We just have ldap on top of it here.

Question 3

In case one database in Radius one database in LDAP with different subsets of users.

RADIUS is used first and does not contain the user returns Reject or fail or whatever.

LDAP is used second and user passes authentication.

Next user starts with RADIUS again and goes through same process for each authentication request it receives.

Answer 3

The answer of the above mentioned question is, correct.

Source

This document has been created from the below mentioned discussion:

WLC Multiple Radius Servers
 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: