AAA- Multisite

  • 1
  • Question
  • Updated 4 years ago
  • Answered

We initially had an installer help us configure our HiveManager, and we had a few offices that connected right off the bat.  Going in to find out what they did has been eye-opening.


Our primary SSID is Company_Corp, and it would appear that almost all the AP's have been configured as RADIUS servers.  They have similar configurations, but it seems like overkill.  We've got 3 locations setup right now, and they pretty much connect back to our DC that sits in a data center.

Additionally, under AAA Client settings of the main client that is configured, under RADIUS servers I have 2 entries, AAAServerMultisite, and AAABackup.  These are filled with all the other AP's. 

I don't have a lot of APs( 13 ), and I don't have a large amount of users.  I haven't had any complaints on speed, but I'm worried that it might be a problem in the future.  I have 7 more offices to provision APs to, and I'd rather not continue this trend.

Sorry if I'm talking too much, just finished a training session, and i'm still a little overhwhelmed.

Please ask any questions!




Photo of Geoff Wilson

Geoff Wilson

  • 5 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
At each remote site, best practice is to have 2 AP's act as radius Servers. Primary1 and Backup1.
- All other AP's should be added as NAS Clients so when they query AD, it goes from that AP, to the AP acting as Radius, and then that AP queries the AD/Radius Server.     If your AP is setup for Radius, it will have a 3 Circle Icon next to it. 

Was there any knowledge transfer from your re-seller? I would definitely ask for it, if you paid for their services. We also do as part as our sign-off process

Let me know 
Travis
Photo of Geoff Wilson

Geoff Wilson

  • 5 Posts
  • 1 Reply Like

Thanks for the response,  as for the knowledge transfer, I'm sure that it was done, but with an employee that is no longer with us.

The AP's are setup in primary and backup, its just that two of the sites only have two APs, making it look crowded. But its good to know.

Is it also a best practice to do the AAAServerMultisite?  I think we are attempting to have a single policy across the company, (of course making sure that VLANS match and such) , perhaps the Multisite is needed in this case?

Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
Not sure how the Multisite and Backup are configured, those are just common names the installer setup.  I would have to see the config. 
Photo of Geoff Wilson

Geoff Wilson

  • 5 Posts
  • 1 Reply Like

Looks like this one is just a grouping of the "Primary" RADIUS APs, and the other is a grouping of the  backup APs.   I've been looking through everything, and I don't actually believe that the tagging is actually referenced anywhere, but I'm sure it was intended to be used.    This is the screen after clicking on the RADIUS setting next to the SSID name, and then adding a new entry under RADIUS servers

Photo of Eastman Rivai

Eastman Rivai, Official Rep

  • 146 Posts
  • 17 Reply Likes
Geoff,

Based on that screen shot, different radius server is assigned to different group of AP based on the Tag1. In this example, AP with Tag1= Plano will use  192.168.100.20 as the primary radius server.

You would normally only need two radius servers per site.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Geoff - The configuration looks correct so far. They have followed the best practices by condensing network policies, and leveraging the tag functionality. It looks like they configured the sites for survivability in case WAN goes down, so that users can continue to authenticate to the APs.

To ensure the tags are being used correctly. Select a device from the monitor tab, and click 'modify' 

Do you see a value in a yellow bubble (above the expanding fields below) that should state the name of the tag? (ex: Plano)

For the next 7 offices, the steps would be as such:

-join new aps to the domain
-setup new aps as radius servers
-modify AAASERVERMULTISITE to encompass the new tag values / APs and IP addresses
-assign tags to new APs
Photo of Geoff Wilson

Geoff Wilson

  • 5 Posts
  • 1 Reply Like
Thanks, got it. I just need to look for the rules now to see how the tags are being used,

Thanks Travis, Sam!