Multiple Radius Servers on Different VLANs

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We currently have two separate organizations using our wireless network. Each SSID puts clients onto the VLAN and subnet of their organization. Organization 1 has VLAN 10 and uses a radius server for authentication. Organization 2 has VLAN 50 and uses PSK for authentication.

Organization 2 wants to start using radius authentication as well, however we can't get the APs to communicate with their radius server because they are on a different VLAN/subnet (10, same as Organization 1). How can we get the APs to authenticate against radius servers in two seperate VLANS and subnets?

AP 141's running 6.1r3
Photo of Stephan

Stephan

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hello Stephan,

The APs are always communicating with Radius servers through their management interface, using their management IP address, no matter which VLANs users will be put into after the authentication process.

So you need to make sure on your network infrastructure (router, firewall), that all APs can communicate with all Radius servers in question via IP routing.

If in doubt, open a SSH client to one of your IPs and try to ping both Radius servers your APs need to be able to communicate with, as a first step for troubleshooting. If one doesn't work, traverse along the traffic routing path, start with the APs' default gateway.

carsten
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Of course, you could also set up a RADIUS proxy on a server that sits in multiple VLANs (the Aerohive management VLAN, the VLAN for the first org that their RADIUS server sits it, the VLAN for the second org that their RADIUS server sits in).

The RADIUS proxy would then pass things on appropriately, routing on the realm in the User-Name attribute.
(You would need two servers if you want redundancy in the proxy.)