Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Validate redundant RADIUS

Validate that your redundant RADIUS servers are functioning properly. That is, when the primary RADIUS server fails, control passes successfully to the secondary, which then continues handling authentication messages until control can successfully be returned to the primary RADIUS server.

To test redundancy, keep the following details in mind:

  • The RADIUS server is actually a service running on a server.
  • Primary and secondary RADIUS servers run on separate servers (computers) not on the FortiNAC appliance.
  • For this test RADIUS requests are generated by logging in a host through the Captive Portal.

Test setup

  1. Log in to the CLI on your FortiNAC appliance and enable debug by typing campusmgrdebug -name RadiusManager true.
  2. Make sure both RADIUS servers are up and running, so communication is proxied to the primary.
  3. Monitor the output.master file in the /bsc/campusMgr/master_loader directory on the FortiNAC Control Server for the RADIUS messages that are generated by this test.

Force a failover

  1. Turn off the primary RADIUS service.
  2. Send a RADIUS request (use a computer to log in through the portal).
  3. Verify that the primary RADIUS server fails to respond. You will see that it retries, and finally times out.
  4. Verify that a RADIUS request is initiated using the Validation Account (specified in the RADIUS configuration in the admin UI for the FortiNAC appliance) and that this also fails. You should see a message in the output.master file similar to “Contact Message being sent".
  5. Verify that the primary RADIUS server is added to the Failover list - you can read that FortiNAC is adding the primary RADIUS server to the list, and when a new request comes in you will see that FortiNAC checks this list by reading the output.
  6. Confirm that requests are sent repeatedly to the primary RADIUS server to see if it is up and running (e.g., every 5 - 6 seconds).
  7. Send a RADIUS request by logging in through the portal again.
  8. Confirm that the secondary RADIUS server responds correctly.

Restore the primary server

  1. Turn the primary RADIUS service back on.
  2. Send a RADIUS request by logging in through the portal.
  3. Confirm that the primary RADIUS server responds correctly.

Disable both servers, then restore the primary

  1. Turn off both RADIUS services.
  2. Send a RADIUS request by logging in through the portal.
  3. Verify that requests are sent repeatedly to both the primary and secondary RADIUS servers.
  4. Turn on the primary RADIUS server.
  5. Send a RADIUS request by logging in through the portal.
  6. Confirm that the primary RADIUS server responds correctly.

Disable both servers, then restore the secondary

  1. Turn off both RADIUS services.
  2. Turn on the secondary RADIUS server.
  3. Send a RADIUS request by logging in through the portal.
  4. Confirm that the secondary RADIUS server responds correctly.

Validate redundant RADIUS

Validate that your redundant RADIUS servers are functioning properly. That is, when the primary RADIUS server fails, control passes successfully to the secondary, which then continues handling authentication messages until control can successfully be returned to the primary RADIUS server.

To test redundancy, keep the following details in mind:

  • The RADIUS server is actually a service running on a server.
  • Primary and secondary RADIUS servers run on separate servers (computers) not on the FortiNAC appliance.
  • For this test RADIUS requests are generated by logging in a host through the Captive Portal.

Test setup

  1. Log in to the CLI on your FortiNAC appliance and enable debug by typing campusmgrdebug -name RadiusManager true.
  2. Make sure both RADIUS servers are up and running, so communication is proxied to the primary.
  3. Monitor the output.master file in the /bsc/campusMgr/master_loader directory on the FortiNAC Control Server for the RADIUS messages that are generated by this test.

Force a failover

  1. Turn off the primary RADIUS service.
  2. Send a RADIUS request (use a computer to log in through the portal).
  3. Verify that the primary RADIUS server fails to respond. You will see that it retries, and finally times out.
  4. Verify that a RADIUS request is initiated using the Validation Account (specified in the RADIUS configuration in the admin UI for the FortiNAC appliance) and that this also fails. You should see a message in the output.master file similar to “Contact Message being sent".
  5. Verify that the primary RADIUS server is added to the Failover list - you can read that FortiNAC is adding the primary RADIUS server to the list, and when a new request comes in you will see that FortiNAC checks this list by reading the output.
  6. Confirm that requests are sent repeatedly to the primary RADIUS server to see if it is up and running (e.g., every 5 - 6 seconds).
  7. Send a RADIUS request by logging in through the portal again.
  8. Confirm that the secondary RADIUS server responds correctly.

Restore the primary server

  1. Turn the primary RADIUS service back on.
  2. Send a RADIUS request by logging in through the portal.
  3. Confirm that the primary RADIUS server responds correctly.

Disable both servers, then restore the primary

  1. Turn off both RADIUS services.
  2. Send a RADIUS request by logging in through the portal.
  3. Verify that requests are sent repeatedly to both the primary and secondary RADIUS servers.
  4. Turn on the primary RADIUS server.
  5. Send a RADIUS request by logging in through the portal.
  6. Confirm that the primary RADIUS server responds correctly.

Disable both servers, then restore the secondary

  1. Turn off both RADIUS services.
  2. Turn on the secondary RADIUS server.
  3. Send a RADIUS request by logging in through the portal.
  4. Confirm that the secondary RADIUS server responds correctly.