NXC2500 switching between primary and secondary radius server doesn't work

Wojtas
Wojtas Posts: 49  Freshman Member
First Anniversary Friend Collector First Comment
edited August 2022 in WirelessLAN
Hello, 

As described in the topic. I have configured SSID on NXC2500 with External Radius Server type (primary and secondary). The configuration has been provisioned to all my UAP. I can connect to WiFi with AD credentials, but when I turn off the primary radius server, I can't connect to WiFi. What's more, I don't see any attempts of authentication from UAP in the secondary radius server.

When I set up secondary as primary then the situation is  the same, I can connect when the primary server is turned on.
«1

All Replies

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @Wojtas,
    I used my NXC to do the test and set the radius server like below screenshot. 


    When the first server is not able to connected by the station, the station can do the authentication with the backup server and connect WiFi.
    For checking more detail of your issue, please help to collect diagnostics in  MAINTENANCE> Diagnostics> Diagnostics, and capture the packets of the NXC uplink interface when you are doing the authentication. You may capture the packets in MAINTENANCE> Diagnostics> Packet capture like below screenshot.

    After collecting related information, please PM me the files.
    Thanks.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi @Zyxel_Freda

    Maybe I have been a little bit not precisius. I have configured external RADIUS server for SSID, like this:




  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @Wojtas,
    Thanks for providing the setting information. After doing a test, we can reproduce the issue you mentioned and start to check details. I'll update for you asap when we get any progress.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi @Zyxel_Freda

    Thank you for info, I am waiting for release which fix it :)
  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @Wojtas,
    After we checked the issue, it's related to the mechanism of connection between the AP and the Radius server, so we'd like to check more detail of the AP models and connected client info. May I know your AP model name? 
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi, @Zyxel_Freda

    Sure, I have four WAC6303D-S
  • Zyxel_CSO
    Zyxel_CSO Posts: 375  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Wojtas,
    According to the mechanism of the external radius on AP, the AP tries to connect to the primary radius server in 12 seconds, and then the AP tries to connect with the secondary radius server after 12 seconds. However, in our captured packets, the connection between the AP and station was already timeout even the AP did try to connect to the secondary server and marked the primary AP is failed to connect. 
    So, when the station connected to the AP at the 2nd time, the AP connected to the secondary server directly because the primary server is marked as failed to connect, so the station can do authentication successfully in time. That means the station could connect to the secondary server successfully when it connected to the AP at the 2nd time.
    May I know that did you do the test for once connection or you tried to connect for several times after the connection timeout?
    If you tried to connect the station to AP for several times but still failed to do authentication with the secondary server, please help to collect below two items to us to check details.
    1. Please capture the packets on AP in MAINTENANCE> Diagnostics> Packet Capture> Capture on AP when doing the connection.

    2. Please collect diagnostic of the AP in MAINTENANCE> Diagnostics> Diagnostic> AP. 
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    I have tried a few times, but I couldn't connect when the first NPS server was turned off. I collected the files, but I can't send them to you by the forum because the file format is not allowed. How can I share it with you?

    I have one more observation... It looks like my laptop is switching between APs. First it tried to connect to AP-1, next not to AP-1 but to AP-2. 

    In my opinion it shouldn't matter, switching between RADIUS servers should be fast and smoothly. The end user can't trys 10 times to connect if I have two redundant radius servers.
  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @Wojtas ,
    Would you PM me the files that you collected?
    If the station connects on the first AP twice, would it pass the authentication at the 2nd time connection?
    If it's not available to attached file via message, would you please put it in a cloud server and share a link to download it?
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    I wil try test it on Monday morning again. I have working people on the WLAN.