Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
1
Replies

wlc with multiple radius servers

craig.eyre
Level 1
Level 1

‎09-10-2013 09:18 AM - edited ‎07-04-2021 12:48 AM

Hey All,

I've installed a second Cisco ACS server for redundancy on our WPA2/AES/802.1X wlan and I was wondering how this will affect user connections. I have 2 ACS's with 2 different certificates and they are setup as radius 1 and 2 under this specific wlan. I'm concerned that when a user connects and authenticates to ACS1 and then later on roams or reauthenticated due to some timer that they'll hit ACS2 and the client won't have an existing session built and fail.

1. Can someone elaborate on when the 2nd radius server gets used. round robin or only when ACS 1 is unresponsive/failed user login.

2. Is there a better way to work with this senario? i.e. 1 cert (e.g) wireless.xxx.yyy and put the acs's behind a load balancer?

3. Can I get the load balance affect with just the wlc's and the ACS's?

I'm just trying to verifiy a few things before I go live with it.

Thanks

Craig

Labels:
0 Helpful
1 Reply 1

George Stefanick
VIP Alumni
VIP Alumni

‎09-10-2013 09:47 AM

Criag,

1. No round robin. The WLC will only flip to the next radius server when the radius server doesn't respond. We have seen issues where the radius server services go down and user auth fails BUT it still responds to the WLC so the WLC doesn't flip to the next one.

2. You can put a load balancer in front for the cert. If you don't, you could get the vaidlate this cert window on some clients like macs and i devices. They will need to validate each cert once before connecting when authing to the radius. They wont be asked again, unless they forget the network and reconnect.

As for roaming. Once a client authenticates the first time a MSK is generated. Its used for seeding material for the PMK key. The PMK key is moved from the radius server to the WLC. This is a session thing. When a client roams from ap to ap or across controller the PMK key is moved with him. This is assuming the client supports OKC.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card