RADIUS Authentication

myk140782 · ‎06-24-2013

Hi,

I currently have a 2504 WLC at one office which forwards authentication requests to a Windows NPS server (using RADIUS). At another office there is a also a 2504 which also forwards authentication to it's own NPS server. This works great. The offices are on separate domains and I have users that travel between the offices. If I point my WLC at Office 1 to the NPS server at Office 2 it will allow users from Office 2 to connect while at Office 1 during tests (and vice versa). Question is that is there any way that the WLC can look at one NPS server OR another to authenticate requests? Perhaps this should be done on the NPS server to cover both domains however as I'm using computer certificate authentication (and would like to stick to this) for each domain on the respective NPS servers it's proving a little tricky hence question of the possibility of the WLC being used. On the WLC I can add both NPS servers but it seems to be for redundancy rather than using multiple NPS servers at once.

Thanks

Sent from Cisco Technical Support iPad App

Ravi Singh · ‎06-25-2013

Yes you can achieve this by load balancing on WLC. Following is the link to configure load balancing for radius server on WLC.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_rad/configuration/xe-3se/5700/sec-rad-server-load-bal.html

Eduardo Aliaga · ‎07-02-2013

Hello Ravi, that link is for the new WLC with IOS-XE, not for 2504 WLC.

To respond the original question, you can't use multiple radius servers at once with WLC 2504. As a workaround you could use one ACS as your only radius server. Then you configure this ACS with proxy radius, so ACS could ask NPS1 and NPS2.

However I would recommend to change your NPS1 and NPS2 with two ACS in a distributed deployment. That way you have the same configuration for the two ACS.