Clone Network Policy and change authentication servers

  • 2
  • Question
  • Updated 5 years ago
  • Answered

I have a customer with 100+ APs and a lot of Radius requests going around (700+ clients simultaneously). At this moment, we have configured one NP with a main and a backup Radius server on a HiveAP120, but the Radius server just crashes after some time. The system load is crazy at times, load averages of 8.00 and above :)

So, I was reading a bit in the community and found some interesting remarks about Radius sizing, with 'recommendations' of 30 Radius client APs per Radius server AP. We now want to have Radius server APs per building, which is per 20 APs more or less.

However, it looks like the coupling between an SSID and an authentication server is global? If we clone a NP and change the Radius server on the new NP, the Radius server changes on every other NP with the SSID configured.

I would think that the coupling between an SSID and a means of authentication is one of the core elements of an NP, so does anyone have an idea or reason why this coupling is global? :)
Or is there a means to keep the change local in an NP?

Photo of Frederic


  • 3 Posts
  • 1 Reply Like

Posted 5 years ago

  • 2
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
So, the RADIUS server object is tied to the SSID object. The SSID object is then tied to the Network Policy. At this time, to accomplish what you are trying to do, you would need to have different network policies referencing different SSID objects pointing to the different RADIUS servers.

I know, it's not ideal.

Our product folks are looking at ways to simplify this and are working with engineering on a resolution.
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes

Another option would be to use Device Tags or Map/Topology to identify which RADIUS server a specific Access Point would send request to. If they RADIUS servers all have the same shared secret, when you create your IP Object you can select which IP Address a AP will use as their RADIUS Server.

Similar to how one did VLANs based on Device Tags in this thread...

Hope this helps.
Photo of Frederic


  • 3 Posts
  • 1 Reply Like
Thanks for the tip, I'll try this out!
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Would you check back in and let us know if this works for you? I may be coming across this same type of issue shortly with another design