AAA Server Settings Primary and Backup1

  • 1
  • Question
  • Updated 3 years ago
Hi All,

I would like to find out whether the issue that I am experiencing with 'AAA Server Settings' and more particularly with 'Primary' and 'Backup1' or 'Backup2' AD connectors is a normal behavior in Aerohive manager. 
I am currently testing several Aerohive APs as RADIUS servers and Wifi authentication using AD credentials. . Everything works fine. However, there is one thing that i noticed within Configuration --> AAA Server Settings --> My_Custom_settings --> Database settings. I have two connectors there, Primary (AP01) and Backup1 (AP02). If Primary AP01 is online, I can map these groups to profiles, or navigate AD attributes without any issues. However, if the Primary AP01 goes down, the backup1 AP02 states that "The request is failure, error message: The device is currently disconnected from HiveManager. Please try again later." Once i reconnect the AP01, the issue goes away and I can view the AD attributes no problem using either one of connecter Primary (AP01) or Backup1 (AP02).
I am just trying to make this more resilient in case the Primary connector (AP01) goes down and that attribute lookups can still be performed or mapped. Attached is the screenshot. Thank you in advance.
Photo of Ralph Grochowski

Ralph Grochowski

  • 3 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I think you are conceptually missing is that HiveManager is just being used for configuration here.

What you are testing has nothing to do with operational stability and failover once this the feature is configured and applied to APs.

The APs can have no connection to HiveManager at that point and everything will operate. There is no link / dependency so there should be no resiliency concerns.
(Edited)
Photo of Ralph Grochowski

Ralph Grochowski

  • 3 Posts
  • 0 Reply Likes
So, if i lose this primary connector (AP01) and need to wait for its replacement a couple of days. How do I create/modify LDAP attributes and assign them to AH user profiles in the meantime?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Valid point, but that is an unlikely scenario given that you would want to have the primary back online as soon as possible in all cases due to the fact that resilience is lost when only a single AP is performing the function, getting it back online would be a primary concern that you would attend to first.
Photo of Ralph Grochowski

Ralph Grochowski

  • 3 Posts
  • 0 Reply Likes
Thanks for your prompt reply Nick.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hi Ralph,

When you use the LDAP mapping tab in the AAA Server Settings, HiveManager uses the AP which is listed in the AAA Directory Settings object as a proxy to access the directory (HiveManager talks to the AP over its CAPWAP connection, the AP queries the directory and returns the results back over CAPWAP to HiveManager). If that AP is down, then HiveManager has no means of talking to the directory server, so you get the error that you see.

Now what you would think (and I think this is your expectation) is that if you select the Backup1 AAA Directory object in the domain dropdown then HiveManager would use whichever AP is listed in THAT object as its proxy, but this doesn't seem to be the case.

From a quick bit of testing, it looks like it always tries to use the AP listed in the FIRST AAA Directory Object in the list that is configured for that domain (regardless of whether it is set as the Primary or a Backup). This is probably a little bug in HiveManager.

So there is a workaround for your scenario. If you go to the AP01 AAA Directory Server object and select AP02 in the "Aerohive device for Active Directory connection setup" dropdown, save that, then go back to the AAA Server Object you should find it works as HiveManager will now use AP02 as its proxy.

There is a lot of confusion about how these objects interact. The AP that you select in the AAA Directory Server object is used only from a HiveManager perspective - I know it looks like you're saying "AP01 talks to domain controller 1" and "AP02 talks to domain controller 2" and you might assume that is the case for actual user authentications, but that's not how it actually works - the AP reference is really only there for HiveManager to use as a means of proxying access to the directory for configuration purposes. So really it makes more sense for you to name those objects based on the Domain Controller they reference rather than the AP that you've used for connection setup.

Just to make the point further, you can have four APs configured as RADIUS servers (Primary and three Backups) talking to TWO Domain Contollers, and this requires only two AAA Directory Server objects. It doesn't matter which of the four APs you use as the connection setup AP - it is the assignment of the RADIUS Server object to an AP in the AP settings that creates the AP to Active Directory binding.

And finally, just bolstering what I've said above, making this change doesn't affect the actual configuration that is pushed out to APs in any way. If you're unconvinced, you can check for youself by making the change and checking the delta config, you'll see there is absolutely no change to the APs' configuration as a result of it (you will get the ! against the APs, but when you actually check what the delta is, there is none).

Hope this makes sense!

Regards,
Roberto