Captive Portal LDAP Authentication redundancy

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive Portal LDAP Authentication redundancy

L1 Bithead



I have a Captive Portal that uses next Authentication Profile:

  • CP_Auth


Authentication Sequence:

  • CP_Auth - Auth_Mode_1, Auth_Mode_2

Authentication Profile:

  • Auth_Mode_1 - LDAP_1
  • Auth_Mode_2 - LDAP_2

LDAP Server Profile:

  • LDAP_1:,
  • LDAP_2:,


Base on our monitor logs, we noticed that all our authentications are using LDAP Server


A few days ago we detected that server had an issue and we decided to power off the machine.


After that, we were still seeing PA trying to reach this server and not trying to use the second LDAP server (

  1. Why was this happending? Shouldn't the firewall have to change to as soon it detects timeout connections?
  2. Is there any way to configure redundancy in case of issue?



1 accepted solution

Accepted Solutions

Actually, you are wrong.


I recommend you to check this:


Thanks anyway.

View solution in original post


L4 Transporter

Create 4 separate LDAP Server Profiles.

Assign them to 4 separate Authentication Profiles.

List all 4 in the Authentication Sequence.


The LDAP Server Profiles don't fail-through to the next one.  It tries the first one, and only if it gets a specific response from it will it try the second one.


The Authentication Sequence is where you list all the servers you want it to try, and the order to try them in.  The first one to respond with "allowed" ends the sequence.  If none of them return an "allowed" response, then the authentication fails.

Many thanks for your response.


I don't understand... base on this document


"Configure at least two LDAP servers to provide redundancy"


What kind of redundancy are they referring in the previous document?

What is the condition that triggers the event of using the secondary LDAP?

Is timeout event not enough to triggers that?



The way it was explained to us in the 8.1 training course was along the lines of "the first server in the list to respond after boot is the only one it will use" or something along those lines.  The instructor actually questioned why they allow multiple servers to be listed in a single Server Profile when it doesn't actually work the way you expect, but was never able to get a straight answer about it.


If you actually want it to failover to another LDAP server, then you need to use a single server per LDAP Server Profile, and list all of those in an Authentication Sequence.

Actually, you are wrong.


I recommend you to check this:


Thanks anyway.

  • 1 accepted solution
  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!