Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] What is the expected behavior for Authentication and Accounting requests when multiple Radius servers are in a server group?

0

0

Article ID: KB25656 KB Last Updated: 05 Sep 2012Version: 1.0
Summary:
This article provides information about the expected behavior, when multiple Radius servers are configured in a server group, which is used for both Authentication and Accounting.
Symptoms:
  • Within the Mobility System Software (MSS), Authentication and Accounting messages are configured to be sent to a server group; instead of an individual server.

  • A server group is made up of between one to four individual servers and it may be further configured to use a round-robin style of load balancing (for example, with two servers - Srv1 and Srv2, Req1 is sent to Srv1, Req2 is sent to Srv2, Req3 is sent to Srv1, and so on).

  • In a configuration, in which a server group is made up of two or more servers and with server load balancing (round-robin) enabled, and the same server group is being used for both Authentication and Accounting of a SSID, it may be observed that a client's authentication packets are sent to one server and the client's accounting packets are sent to another server.
Cause:
  • The behavior of a client's authentication and accounting packets going to separate servers is expected behavior and as per the design of MSS.

  • The Authentication and Accounting requests are handled independently of each another; which will allow any of the servers in a server group to be selected, depending on the number of concurrent client requests in the system.
Solution:
  • If it is required for authentication and accounting messages to go to the same server for every client, the server group has to be configured with only one server.

  • Alternatively, multiple servers can be added to the server group and load-balancing can be disabled. so that there is an attempt at a more defined behavior (Authentication and Accounting requests will be attempted to the first server and only to the next server in the group, if the first server is sensed as down).  

  • However, it is possible for certain clients authentication and accounting requests to go to separate servers, due to timing of marking a server down.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search