With RADIUS over TLS, the state of the TLS connection indicates whether the server is “live” or “dead.” As soon as a RADIUS over TLS server is configured, the switch attempts to open a connection. If successful, the server is considered live. If unsuccessful, the server is considered dead and the switch will periodically attempt to reconnect.
If one or more RADIUS over TLS servers is live, then an initial request is sent to a single TLS server, based on priority. This means that the highest priority TLS server is always chosen for the first transmission. If this transaction times out, but that TLS server status is live, there will be no retransmissions to other TLS servers (or to UDP servers, if configured) and user authentication will fail.
When a TLS connection is broken or closed, any prior request messages that have not yet received a response will be handled on timeout as follows: