HPE Community
IMC
1751807 Members
4173 Online
108781 Solutions
New Discussion

Re: RADIUS Failover options?

 
NeilR
Esteemed Contributor

‎12-18-2014 12:00 PM

‎12-18-2014 12:00 PM

RADIUS Failover options?

Looking through the docs I see mention of server failover option, but not much on how to set up.

 

Would really like some way for clients to authenticate in case of RADIUS failure. Whats the best way to set this up?

 

Duplicate the whole IMC server, which is implied & supported by license and list as second radius server?

 

What about the DB? One copy seems like the way it should work. Keep it on  1st imc server  or move it to separate server? 

 

Does UAM care or does it just need to see LDAP server(s)

 

tia

Neil

0 Kudos
6 REPLIES 6
Jorge_Rojas
Occasional Visitor

‎12-23-2014 12:41 PM

‎12-23-2014 12:41 PM

Re: RADIUS Failover options?

I think that you can configure IMC  in a distributed architecture and implement 2 UAM machine like slaves, thus in the authentication device (access switch, wireless controller, etc) you can configure the primary and the secondary radius authentication like the 2 IP of both UAM.

 

About the Database HA, I think the better solution is implement a cluster.

 

 

 

 

0 Kudos
NeilR
Esteemed Contributor

‎12-24-2014 04:24 PM - edited ‎12-24-2014 04:27 PM

‎12-24-2014 04:24 PM - edited ‎12-24-2014 04:27 PM

Re: RADIUS Failover options?

Thinking about it, since Imc is virtualized recovery is not too hard if it has an issue. Maybe some data loss, but management functions would come back quickly enough. Main issue for me is client reauthentication if no one has noticed the failure of the imc radius services via uam when the reauthentication period expires. So a second uam is more in line with that. Also handy if I need to take the main system offline for maintenance or update. Not sure if uam needs to see the db to function in that mode

How to set it up is the question

Or maybe I just use ms npa rules to cover as much as I can
Thx
0 Kudos
NeilR
Esteemed Contributor

‎01-12-2015 09:38 AM

‎01-12-2015 09:38 AM

Re: RADIUS Failover options?

Setting up the VLAN tagged attirbutes was making the MS NPS solution complicated.

 

since I already had PCM doing the same job, I made that the backup radius. Already getting my users from AD, and my existing MAC address via the OUI function.

0 Kudos
NeilR
Esteemed Contributor

‎02-28-2015 03:02 PM

‎02-28-2015 03:02 PM

Re: RADIUS Failover options?

I decided to try the stateless backup option using a second IMC installation. I learned that cloning the VM was not an option so built up a new install and activated backup licenses on it. Confirmed that my LDAP and UAM users would authenticate so that problem solved.

 

Deployment of secondary RADIUS information to access swtiches is easy - just deploy them as access devices on backup server and it adds the configs to the switches. Some other issues from stateless backups - make sure snmp access is configured for secondary server or else a bunch of errors are generated. Also my NTA probe has decided to send all its data to the backup. only local admin account came across for IMC access.

0 Kudos
NeilR
Esteemed Contributor

‎03-16-2015 01:47 PM

‎03-16-2015 01:47 PM

Re: RADIUS Failover options?

More issues with the standby IMC server. 

NTA: after I brought up the second server, the NTA probe, implemented on vmware using the IMC_vMon_7.1_E0301.ova template, the probe started sending all its data to the backup server instead. And it only displays on the backup server. The main server shows no traffic accumulating. I tried shutting down the backup, and it sent traffic to the main, but no display.

The interface and VLAN traffic from the switch goes to main server.

I have had issues before with the probe before displaying second interface traffic.

Server config is not changeable and is set to the localhost address, otherwise I'd set to point to main. Not the end of the world - I can log in and review there. 

Backup for authentication: For PC's running 802.1 wired, works fine, probably even for wireless as well, didn't test. However for iPhones using windows creds to log in, the user must accept the self signed certificate from the IMC radius server.

 

The certificate is different for the backup system because the host name is different, so user must "forget" the network and reconnect again with credentials. This is a bit annoying, but in a failover situation, at least acceptable.

​Any thoughts on these issues?

0 Kudos
mbinder
Visitor

‎11-25-2015 09:35 AM

‎11-25-2015 09:35 AM

Re: RADIUS Failover options?

This feature is being improved with 7.2

7..1 implementation is rather difficult/manual steps etc.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.