radius failover erratic behviour

RouterOS General
1

Hello,

I do have following setup:

hap-ac with wireless/PEAP

  1. radius servers:
    2.1. both radius servers are using the same ldap backend server on a different machine.
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7709E56724
/radius
add address=192.168.50.10 comment="primary radius server" secret=XXZZXX service=ppp,wireless,ipsec timeout=3s
add address=192.168.100.40 comment="backup radius server" secret=XXZZXX service=ppp,wireless,ipsec timeout=3s

So far so good, all wireless clients can authenticate.
BUT, IF i shut down primary radius server (192.168.50.10) ALL, wireless clients can no longer authenticate.

HERE IS the interesting part.
IF i login to winbox and move “backup radius server” to 1st position, again clients can authenticate.

# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7709E56724
/radius
add address=192.168.100.40 comment="backup radius server" secret=XXZZXX service=ppp,wireless,ipsec timeout=3s
add address=192.168.50.10 comment="primary radius server" secret=XXZZXX service=ppp,wireless,ipsec timeout=3s

But this approach is against the concept of failover or is just by design like this ?

2

Hello,

I am facing the very similar issue with failover for wireless MAC authentication via RADIUS.

AP has properly working wireless MAC authentication via RADIUS, there is one RADIUS server present in the config

/radius add address=IP_address_of_radius_1 secret=xxxxx service=wireless timeout=1s

Steps to reproduce:

  1. add the secondary radius server
/radius add address=IP_address_of_radius_2 secret=xxxxx service=wireless timeout=1s

  1. shut down the first radius server

  2. kick an registered client of AP (or all clients, does not matter)

  3. client asks AP to re-register

  4. AP tries to properly contact the first radius server (which is down), it gots no response

  5. after the timeout, AP contacts then the second RADIUS server and gots the successful response

  6. the wireless client is registered

  7. after a short time (1-5 seconds), the client gets unregistered

  8. the process repeats infinitely, starting from the point 4

Any solution or ideas?

Thank you,
Jan