TLS Connection Persistence
With RADIUS over TLS, the state of the TLS connection indicates whether the server is “live” or “dead.” As soon as a RADIUS over TLS server is configured, the switch attempts to open a connection. If successful, the server is considered live. If unsuccessful, the server is considered dead and the switch will periodically attempt to reconnect.
If one or more RADIUS over TLS servers is live, then an initial request is sent to a single TLS server, based on priority. This means that the highest priority TLS server is always chosen for the first transmission. If this transaction times out, but that TLS server status is live, there will be no retransmissions to other TLS servers (or to UDP servers, if configured) and user authentication will fail.
When a TLS connection is broken or closed, any prior request messages that have not yet received a response will be handled on timeout as follows:
- If there are no other live TLS connections, then the user session will fail. If there are UDP servers configured, they will not be tried.
- If there are other live TLS connections, then the user request will be retransmitted to one of the new TLS servers.