Fortinet black logo

Administration Guide

Failover process

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:485964
Download PDF

Failover process

In FortiNAC you can have primary and secondary RADIUS servers that are the system-wide default for RADIUS requests. You can also have other RADIUS servers that are listed as the primary and secondary server for requests coming through a specific device.

All of these RADIUS servers must be configured in FortiNAC and must be running in parallel. It is required that each RADIUS server be configured with a user name and password that will be used by FortiNAC as a Validation Account to test for RADIUS server availability. That user name and password must also be entered into the RADIUS server configuration within FortiNAC allowing a test message to be sent to the RADIUS server.

If one or both of your RADIUS servers were to fail, there is a failover process that is followed. No events or alarms are generated when a RADIUS server fails. There are two types of failure in this process. The first is a failure by the RADIUS server to respond to a RADIUS communication sent from a device and proxied by FortiNAC. This does not indicate that the RADIUS server is not running, simply that it did not accept or respond to the communication. The second type is a failure caused because the RADIUS server is down and FortiNAC cannot communicate with it.

Failover

  1. FortiNAC receives a RADIUS communication.
  2. The RADIUS communication is proxied to the configured primary RADIUS server.
  3. The primary server responds.
  4. If the primary server does not respond, the original RADIUS communication is not processed nor is any response sent to the device. FortiNAC contacts the primary RADIUS server with the validation account to validate RADIUS communication.
  5. If the primary server responds to FortiNAC, then the primary RADIUS server continues to be used for subsequent incoming RADIUS communications.
  6. If the primary server does not respond to FortiNAC, FortiNAC begins sending new RADIUS communications to the secondary RADIUS server.
  7. The secondary server responds.
  8. If the secondary server does not respond, the RADIUS communication in progress is not processed nor is any response sent to the device. FortiNAC contacts the secondary RADIUS server with the validation account to validate RADIUS communication.
  9. If the secondary server responds to FortiNAC, then it continues to be used for subsequent RADIUS communications until contact is re-established with the primary server.

Recovery

  1. If the primary server fails FortiNAC continues to attempt to communicate with the primary RADIUS server at six second intervals. This setting is not configurable.
  2. The secondary server continues to be used until a response is received from the primary RADIUS server. The primary server is used for subsequent RADIUS communications.
  3. If both the primary and the secondary servers have failed, FortiNAC continuously attempts to contact both the primary and the secondary RADIUS servers at six second intervals. The primary server is considered to be "in charge" at that point even though neither server is responding.
  4. As soon as either RADIUS server responds, FortiNAC begins sending RADIUS communications to that server.
  5. If it is the secondary server that responded, FortiNAC continues trying to contact the primary server. When the primary server responds, it is used for subsequent RADIUS communications.
  6. If it is the primary server that responded, FortiNAC uses the primary server for subsequent RADIUS communications.

Failover process

In FortiNAC you can have primary and secondary RADIUS servers that are the system-wide default for RADIUS requests. You can also have other RADIUS servers that are listed as the primary and secondary server for requests coming through a specific device.

All of these RADIUS servers must be configured in FortiNAC and must be running in parallel. It is required that each RADIUS server be configured with a user name and password that will be used by FortiNAC as a Validation Account to test for RADIUS server availability. That user name and password must also be entered into the RADIUS server configuration within FortiNAC allowing a test message to be sent to the RADIUS server.

If one or both of your RADIUS servers were to fail, there is a failover process that is followed. No events or alarms are generated when a RADIUS server fails. There are two types of failure in this process. The first is a failure by the RADIUS server to respond to a RADIUS communication sent from a device and proxied by FortiNAC. This does not indicate that the RADIUS server is not running, simply that it did not accept or respond to the communication. The second type is a failure caused because the RADIUS server is down and FortiNAC cannot communicate with it.

Failover

  1. FortiNAC receives a RADIUS communication.
  2. The RADIUS communication is proxied to the configured primary RADIUS server.
  3. The primary server responds.
  4. If the primary server does not respond, the original RADIUS communication is not processed nor is any response sent to the device. FortiNAC contacts the primary RADIUS server with the validation account to validate RADIUS communication.
  5. If the primary server responds to FortiNAC, then the primary RADIUS server continues to be used for subsequent incoming RADIUS communications.
  6. If the primary server does not respond to FortiNAC, FortiNAC begins sending new RADIUS communications to the secondary RADIUS server.
  7. The secondary server responds.
  8. If the secondary server does not respond, the RADIUS communication in progress is not processed nor is any response sent to the device. FortiNAC contacts the secondary RADIUS server with the validation account to validate RADIUS communication.
  9. If the secondary server responds to FortiNAC, then it continues to be used for subsequent RADIUS communications until contact is re-established with the primary server.

Recovery

  1. If the primary server fails FortiNAC continues to attempt to communicate with the primary RADIUS server at six second intervals. This setting is not configurable.
  2. The secondary server continues to be used until a response is received from the primary RADIUS server. The primary server is used for subsequent RADIUS communications.
  3. If both the primary and the secondary servers have failed, FortiNAC continuously attempts to contact both the primary and the secondary RADIUS servers at six second intervals. The primary server is considered to be "in charge" at that point even though neither server is responding.
  4. As soon as either RADIUS server responds, FortiNAC begins sending RADIUS communications to that server.
  5. If it is the secondary server that responded, FortiNAC continues trying to contact the primary server. When the primary server responds, it is used for subsequent RADIUS communications.
  6. If it is the primary server that responded, FortiNAC uses the primary server for subsequent RADIUS communications.