I’ve spent some time over the last few months working with a customer who is building a complete greenfield IT infrastructure, in preparation for launching a new business. It’s been a rare privilege to work without piles of technical debt (of course, it’s never completely that simple – there is data to bring across and there are some core systems that will tie back into the parent organisation) but there have been some challenges along the way too.
One of these was when the customer’s network partner asked for a RADIUS server to be added to our identity solution (to support 802.1x based authentication for Wi-Fi clients). In itself, that wasn’t too big an ask – we could use Windows Servers running Microsoft Network Policy Server (NPS), across two Azure regions. Unfortunately, we also needed to provide resilience and the network partner was suggesting that they could only configure one IP address in their HP-Aruba cloud controllers. Azure Load Balancers only work within region and DNS round robin is not exactly smart, so myself and the other Consultants working on the solution were left scratching our heads.
Luckily, for me, having a reasonably large Twitter network meant I could ask for help – and the help came (thanks to @Tim_Siddle and others)!
Aruba absolutely supports multiple Radius servers. They have the concept of server groups and, if I recall, also have the option of load balancing or fail over (managed by the Aruba controller)
— Tim Siddle (@tim_siddle) November 12, 2018
We were able to take the information about server groups to our networking partner, who advised us that the cloud controllers lacked the server groups capability until recently (it was only a feature on physical controllers) but that it had now been added.
Other people responded to say they had had similar issues in the past, so this might be useful for others who are trying to configure a certificate-based authentication solution for Wi-Fi with Microsoft NPS servers.