I've installed a second Cisco ACS server for redundancy on our WPA2/AES/802.1X wlan and I was wondering how this will affect user connections. I have 2 ACS's with 2 different certificates and they are setup as radius 1 and 2 under this specific wlan. I'm concerned that when a user connects and authenticates to ACS1 and then later on roams or reauthenticated due to some timer that they'll hit ACS2 and the client won't have an existing session built and fail.
1. Can someone elaborate on when the 2nd radius server gets used. round robin or only when ACS 1 is unresponsive/failed user login.
2. Is there a better way to work with this senario? i.e. 1 cert (e.g) wireless.xxx.yyy and put the acs's behind a load balancer?
3. Can I get the load balance affect with just the wlc's and the ACS's?
I'm just trying to verifiy a few things before I go live with it.
1. No round robin. The WLC will only flip to the next radius server when the radius server doesn't respond. We have seen issues where the radius server services go down and user auth fails BUT it still responds to the WLC so the WLC doesn't flip to the next one.
2. You can put a load balancer in front for the cert. If you don't, you could get the vaidlate this cert window on some clients like macs and i devices. They will need to validate each cert once before connecting when authing to the radius. They wont be asked again, unless they forget the network and reconnect.
As for roaming. Once a client authenticates the first time a MSK is generated. Its used for seeding material for the PMK key. The PMK key is moved from the radius server to the WLC. This is a session thing. When a client roams from ap to ap or across controller the PMK key is moved with him. This is assuming the client supports OKC.
Hope this helps ..
__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin __________________________________________________________________________________________ "I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...