Active Mode
In active mode, when a server does not respond to the WLC authentication request, the WLC marks the server as dead and then moves the server to the non-active server pool and starts to send probe messages periodically until that server responds.
If the server responds, then the WLC moves the dead server to the active pool and stops sending probe messages.
In this mode, when an authentication request comes, the WLC always picks the lowest index (highest priority) server from the active pool of RADIUS servers.
The WLC sends a probe packet after timeout (the default is 300 seconds) in order to determine server status in case the server was unresponsive earlier.
Passive Mode
In passive mode, if a server does not respond to the WLC authentication request, the WLC moves the server to the inactive queue and sets a timer.
When the timer expires, the WLC moves the server to active queue irrespective of the server's actual status. When an authentication request comes, the WLC picks the lowest index (highest priority) server from the active queue (which might include the non-active server).
If the server does not respond then the WLC marks it as inactive, sets the timer, and moves to the next highest priority server. This process continues until the WLC finds an active RADIUS server, or the active server pool is exhausted.
The WLC assumes the server is active after timeout (the default is 300 seconds) in case the server was unresponsive earlier. If it is still unresponsive, the WLC waits for another timeout and tries again when an authentication request comes in.
Off Mode
In off mode, the WLC supports failover only. In other words, fallback is disabled. When the primary RADIUS server goes down, the WLC will failover to the next active backup RADIUS server. The WLC continues to use the secondary RADIUS server forever, even if the primary server is available.
Aggressive Failover
If the aggressive failover feature is enabled in the WLC, the WLC is too aggressive to mark the AAA server as "not responding". However this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. The WLC can still mark the AAA server as "not responding" and "not functional".
In order to overcome this, disable the aggressive failover feature. Enter the "config radius aggressive-failover disable" command from the controller in order to perform this.
If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.
WLC Commands to enable Fallback Radius
The first step is to select the mode of RADIUS server fallback. As mentioned earlier, the WLC supports active and passive modes of fallback.
In order to select the mode of fallback, enter this command:
WLC1 > config radius fallback-test mode {active/passive/off}
active - Sends probes to dead servers to test the status.
passive - Sets server status based on the last transaction.
off - Disables the server fallback test (default).
The next step is to select the interval which specifies the probe interval for active mode or the inactive time for the passive modes of operation.
In order to set the interval, enter this command:
WLC1 > config radius fallback-test mode interval {180 - 3600}
<180 to 3600> - Enter the probe interval or inactive time in seconds (the default is 300 seconds).
The interval specifies the probe interval in the case of active mode fallback or inactive time in the case of passive mode fallback.
For the active mode of operation, you need to configure a username which will be used in the probe request sent to the RADIUS server.
In order to configure the username, enter this command:
WLC1 >config radius fallback-test username {username}
<username> - Enter a name up to 16 alphanumeric characters (the default is cisco-probe)