If I give a controller two or more radius servers to check authentication against and the account does not exist in the first server will it check the second server and then loop back to first server for next user.
Basically I have two disparate user databases and want to authenticate against both at the same time.
"If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on"
"The primary RADIUS server (the server with the lowest server index) is assumed to be the most preferable server for the controller. If the primary server becomes unresponsive, the controller switches to the next active backup server (the server with the next lowest server index). The controller continues to use this backup server forever, unless you configure the controller to fall back to the primary RADIUS server when it recovers and becomes responsive or to a more preferable server from the available backup servers."
The second statement is pretty clear and to the point but i'm hoping the first statement means that if the server is up and simply does not authenticate the user that it will loop around enabling me to use two disparate databases/servers simultaneously.
What WLC provides is a failover system between radius servers. So if the first server does not' reply, it tries the second.
If the username does not show up in the first radius server, that radius server will most probably send back a radius reject which means the WLC should not authenticate the user. The 2nd radius server will not be checked.
Some radius servers would allow customization and would then simply to answer if the user is not found, but even then .... This means that if one user is not found on the first radius server, the WLC will mark that server dead and won't try it until the 2nd WLC fails ...
The behavior you really want is to synchronize your 2 radius servers to share databases. THAT would have the effect you are looking for.
This explanation is true for other cisco devices like switches or routers. A radius-reject is an authentication failure, not a "try the next radius server".
That makes sense and is indeed the default behaviour of most RADIUS products, I guess I was hoping the controller could circumnavigate the default behaviour of RADIUS because I cant merge these two databases.
I wonder then why the controller (for web authentication) leaves you change the order for RADIUS, LDAP and, Local...
I could always query one of the databases using RADIUS and the other using LDAP, but if the first (say RADIUS) database does not contain the user and the the second (LDAP) will never be checked then why does the controller give you the option to change the order I wonder? I mean what's the point if the second won't be checked?
That order is different, it does act like you hope.
The idea there is "if Radius returns a reject, then maybe we have the user as local admin in the local database ?".
So yes you can have one database being radius and the other LDAP and the WLC will search both if the first one doesn't return a success.
This is the same behavior as IOS when you can define local as fallback for radius server for authentication. We just have ldap on top of it here.
In case one database in Radius one database in LDAP with different subsets of users.
RADIUS is used first and does not contain the user returns Reject or fail or whatever.
LDAP is used second and user passes authentication.
Next user starts with RADIUS again and goes through same process for each authentication request it receives.
The answer of the above mentioned question is, correct.
This document has been created from the below mentioned discussion: