Re: WLC Multiple ACS Servers

jonathanpe · ‎04-12-2012

I have a number of WLC using a Cisco ACS ver 4.2 on Windows and EAP TLS to authenticate Corporate WLAN clients from a back end domain.

Is there any way that is the WLC gets an authentication fail from the primary ACS it will attempt the secondary ACS?

This is not in the case of a ACS failure, but such as a certificate expiry on one of the ACSs.

Stephen Rodriguez · ‎04-12-2012

No, if the WLC gets a reject from one AAA it doesn't check the next server in the list.

If it gets no response it will check the next one.

Steve

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Amjad Abdullah · ‎04-15-2012

Jonathan:

Just like Steve mentioned, if the authenticator (WLC in our case) receives a reply from the RADIUS server (either success or fail) it does not go to the second server in the list.

In your case if there is an invalid certificate the authenticadtion will fail and the parimary server that receives the reqeust will reply with Access-Reject. So, because the radius replies the WLC just accepts that and declares success or fail to the end station.

Amjad

Rating useful replies is more useful than saying "Thank you"

jonathanpe · ‎04-16-2012

Thanks this is what I thought, I am now looking to see if I can tie the ACS process on the windows server to the Cert so windows will disable to ACS process if the current cert has expired.

As this is all this ACS is doing at the momenet.

Jonathan