Ok,
By all appearances I have this working correctly. For anybody else who has
multiple dispersed campuses but wants them all synced, here's the solution I've
got working (I think :^).
1. Setup your MySQL database to do circular replication (here's a quick
how-to:
http://www.cwik.ch/2011/03/setting-up-multi-master-circular-replication-with-mysql/)
2. Confirm that it's working.
3. If your system is already running:
a. Go through the dance of copying all the data from the initial "master" to
all the other machines.
b. Start them one-by-one, do "stop slave; show master status;" on each moving
from slave to master (opposite of replication direction)
c. Go to each machine an create the replication user and set permission per
above.
d. Do "start slave; show master status; show slave status \G;" on each server.
e. Compare the "Exec_Master_Log_Pos" on each slave to it's Master's "show
master status" "position" result.
2. Setup all servers to use the same /usr/local/pf files EXCEPT, change the
IP addresses and host names in the ./conf directory on each server manually. I
believe I only had to touch networks.conf and pf.conf.
3. I set up access from all networks in the initial config of the "Master",
so that replicated when I copied /usr/local/pf around the ring. Same for
switches.conf.
4. Create an SSL cert on each of the machines with that individual machine's
name and information (in ./conf/ssl).
5. If necessary, config each server for access to LDAP or AD per the manual
(e.g. get each server it's own Kerb key, or add it to the AD domain).
The caveats are that you have to be very careful about changing anything in
"Configuration" on the GUI, because many of those changes are written to local
files. If you make a change there, you will need to check each of the other
servers and make appropriate changes to them (you can also copy the pertinent
.conf file, but remember if it's pf.conf or networks.conf you'll have to be
careful to put the target server's info back in place). Also, all machines
should have the same vlans/interfaces on each with their own IP addresses,
otherwise things won't sync up with the roles.
I think that was it. If anybody sees something I missed or can think of a
reason this won't work, please let me know. We are doing this because we have
3 wireless controllers (using Extreme Networks' rebadged Motorola WM
controllers and radios) and we want them to be able to operate either in a
cluster with redundancy (in San Antonio), or independently (in New Jersey)
while still maintaining NAC functionality and control from our HQ in SA. My
experiments so far show it all seems to work well.
Fabrice, if there was a way to take out the host-specific pieces and put them
outside the /usr/local/pf directory (e.g. /etc/packetfence.conf), then all
systems could be maintained from the gui with local configuration only being
touched once at installation or as needed for expansion (adding vlans, etc.).
Then it would be a simple matter of using a script to rsync from the Master
server to all the others and restart PF on each.
It might even be possible to make this replication available through the
Database, e.g. add a table where change instructions are dumped into it to be
repeated on each server. That might get a bit complicated, though :^).
Don
From: Don Greer [mailto:[email protected]]
Sent: Thursday, August 08, 2013 2:32 PM
To: [email protected]
Subject: [PacketFence-users] Dual Server Configuration
So I have two servers running at two locations, backing each other up as
RADIUS servers (still need to do other testing).
Other than manipulating the files ./conf/, can anybody think of anything that
might blow up as a result of this? I didn't see anything in the database that
was obviously dependent on one machine or the other (admittedly, I'm not sure
I'd know it if I saw it :^), and I know I have to be careful about doing things
like adding switches, changing passwords, etc. because the ./conf/ files don't
sync (and can't until I find some way to script various parameters in those
files).
Anything I'm missing?
Don
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
