Guest

Cisco 4400 Series Wireless LAN Controllers

RADIUS Server Fallback Feature on Wireless LAN Controllers (WLC) Configuration Example

Cisco - RADIUS Server Fallback Feature on Wireless LAN Controllers (WLC) Configuration Example

Introduction

This document demonstrates how to configure the RADIUS server fallback feature with Wireless LAN Controllers (WLCs).

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Basic knowledge of the configuration of Lightweight Access Points (LAPs) and Cisco WLCs

  • Basic knowledge of Lightweight Access Point Protocol (LWAPP)

  • Basic knowledge of Wireless Security Solutions

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 4400 WLC that runs firmware release 5.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

RADIUS Server Fallback Feature

WLC software versions before 5.0 do not support the RADIUS server fallback mechanism. When the primary RADIUS server becomes unavailable, the WLC will failover to the next active backup RADIUS server. The WLC will continue to use the secondary RADIUS server forever even if the primary server is available. Usually the primary server is high performance and the preferred server.

In WLC 5.0, the WLC supports the RADIUS server fallback feature. With this feature, the WLC can be configured to check if the primary server is available and switches back to the primary RADIUS server once it is available. In order to do this, the WLC supports two new modes, passive and active, to check the status of the RADIUS server. The WLC comes back to the most preferable server after the specified timeout value.

Fallback Modes

Active Mode

In active mode, when a server does not respond to the WLC authentication request, the WLC marks the server as dead, then moves the server to non-active server pool and starts sending probe messages periodically until that server responds. If the server responds, then the WLC moves the dead server to active pool and stops sending probe messages. In this mode, when an authentication request comes, the WLC always picks the lowest index (highest priority) server from the active pool of RADIUS servers.

The WLC sends a probe packet after timeout (default 300 sec) to determine server status in case the server was unresponsive earlier.

Passive Mode

In passive mode, if a server does not respond to the WLC authentication request, the WLC moves the server to inactive queue and sets a timer. When the timer expires, the WLC moves the server to active queue irrespective of the server’s actual status. When an authentication request comes, the WLC picks the lowest index (highest priority) server from the active queue (which might include the non-active server). If the server does not respond, then the WLC marks it as inactive, sets the timer and moves to the next highest priority server. This process continues until the WLC finds an active RADIUS server, or the active server pool is exhausted.

The WLC assumes the server is active after timeout (default 300 sec) in case the server was unresponsive earlier. If it is still unresponsive, the WLC waits for another timeout and tries again when an authentication request comes in.

Off Mode

In off mode, the WLC supports failover only. In other words, fallback is disabled. When the primary RADIUS server goes down, the WLC will failover to the next active backup RADIUS server. The WLC will continue using the secondary RADIUS server forever even if the primary server is available.

Configure the RADIUS Server Fallback Feature Using the Command Line Interface (CLI)

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Use the following commands from the WLC CLI to enable the RADIUS server fallback feature on the WLC.

The first step is to select the mode of RADIUS server fallback. As mentioned earlier, the WLC supports active and passive modes of fallback.

In order to select the mode of fallback, use this command:

WLC1 > config radius fallback-test mode {active/passive/off}

  • active—Sends probes to dead servers to test status.

  • passive—Sets server status based on last transaction.

  • off—Disables server fallback test (default).

The next step is to select the interval which specifies the probe interval for active mode or the inactive time for the passive modes of operation.

In order to set the interval, use this command:

WLC1 > config radius fallback-test mode interval {180 - 3600}

<180 to 3600>—Enter probe interval or inactive time in seconds (default 300).

The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback.

For active mode of operation, you need to configure a username which will be used in the probe request sent to the RADIUS server.

In order to configure the username, use this command:

WLC1 >config radius fallback-test username {username}

<username>—Enter name up to 16 alphanumeric characters (default "cisco-probe").

Note: You can enter your own username or leave it with the default. The default username is “cisco-probe”. Because this username is used to send probe messages, you do not need to configure any password.

Configure the RADIUS Server Fallback Feature Using the Graphical User Interface (GUI)

Complete these steps in order to configure the WLC using the GUI:

  1. The first step is to configure the mode of RADIUS server fallback. In order to do this, select Security > RADIUS > Fallback from the WLC GUI.

    The RADIUS > Fallback Parameters page appears.

  2. From the Fallback Mode pull down menu, choose the mode of fallback. Available options include active, passive and off.

    Here is an example screenshot for configuring active fallback mode:

    radius-fbkftr-wlc-config1.gif

  3. For active mode of operation, enter the username in the username field.

  4. Enter the probe interval value in the Interval in sec. field.

  5. Click Apply.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

You can use this show command to verify your fallback configuration:

  • show radius summary

    Here is an example:

    WLC1 >show radius summary 
    
    Vendor Id Backward Compatibility................. Disabled
    Call Station Id Type............................. IP Address
    Aggressive Failover.............................. Enabled
    Keywrap.......................................... Disabled
    
    Fallback Test:
    Test Mode.................................... Active
     Probe User Name.............................. testaccount
     Interval (in seconds)........................ 180
    
    Authentication Servers
    
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    ---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
    1    NM    10.1.1.12         1812    Enabled   2     Disabled  Disabled - none/unknown/group-0/0 none/none
    
    Accounting Servers
    
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/E
    ---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
    1      N     10.1.1.12         1813    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/nonen

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

  • debug dot1x events enable—Configures debugs of 802.1X events.

  • debug aaa events enable—Configures debugs of all AAA events.

Related Information

Updated: Apr 30, 2008
Document ID: 106258