FW: Load balancing over two freeRADIUS Server
Hi, regarding the loadbalancing ... it is quite easy ( in theory ) why you don't put that 2 servers together in a cluster If you configure that right also the problem of swapping the requests is solved Let me know if you want to discuss further. Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
[EMAIL PROTECTED] wrote: Most load balancers (ex: foundry and extreme switches) have various methods of hashing whether a connection goes to machine A or B (or C or D or ...). I was originally going to suggest changing the default hashing algorithm to something other than the default. Many load balancers' (except Cisco) by default run a hash on [Orig IP + Orig Socket + Dest IP + Dest Socket]. In order to ensure that (for example) your authentication requests and accounting go to the same server, you'd have to change the hashing method to be just [Orig IP]. However, that's a bad fit since typically the IP address of your NAS doesn't change, and/or the number of NASes is (relatively) low. Each individual NAS would always be going to the same server all the time. If I were you, I'd save the money on a load balancer and hand configure NAS A to go to radius server A, NAS B to go to server B, NAS C to go to A, NAS D to go to B, etc. (Of course, you'd want NAS A to contact server B as a secondary, in case either one of your radius servers dies. But it should "prefer" A.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center -- -- ---- ---- || || |||| |||| | AS | | AS | | AS || AS | | AS || AS | | G1 | | G1 | | G1 || G2 | | G2 || G2 | -- -- ---- ---- | | | | | | | | | | | | | | | | | | | | | | | | - - |Radius A | |Radius B | - - | | | | | | |--| || || | Session Mngt.| | Mysql/Postgresql | | or radrelay | Ok let me help Configure Group 1 of the access servers to have Radius A as primary radius and Radius B as secondary radius Configure Group 2 of the access servers to have Radius B as primary radius and Radius A as secondary radius You have fallback and backup and single session management. The solution with the load balancer will knock your session management off its rockers. If the ascii art does not show play with your fonts - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
> Chesi Maurizio wrote: > > >We have been asked to put a load balancer to distribuite the > >load between two radius servers. The architecture will > >encompasses a hardware load balancer in front of 2 freeRADIUS servers. > >We are wondering if this may cause a problem being the > >possibility that, for example an access-request may be > >managed by a server and, in case of challenge, > >the response access-request containing the response to the > >challenge may be managed by the other radius server. Set up two separate servers. To load balance, set respective NASes to have a different primary/secondary pair. Then, you need to share the data between both servers. Do this either by:- - using a DB backend like MySQL which is installed on both FreeRadius servers, and replicates to the other one, or one single, solid MySQL server to which both connect (clearly here the point of failure will be the DB server) - creating scripts to mirror a "users" file or other user data between both Radius servers Something along these lines. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
Most load balancers (ex: foundry and extreme switches) have various methods of hashing whether a connection goes to machine A or B (or C or D or ...). I was originally going to suggest changing the default hashing algorithm to something other than the default. Many load balancers' (except Cisco) by default run a hash on [Orig IP + Orig Socket + Dest IP + Dest Socket]. In order to ensure that (for example) your authentication requests and accounting go to the same server, you'd have to change the hashing method to be just [Orig IP]. However, that's a bad fit since typically the IP address of your NAS doesn't change, and/or the number of NASes is (relatively) low. Each individual NAS would always be going to the same server all the time. If I were you, I'd save the money on a load balancer and hand configure NAS A to go to radius server A, NAS B to go to server B, NAS C to go to A, NAS D to go to B, etc. (Of course, you'd want NAS A to contact server B as a secondary, in case either one of your radius servers dies. But it should "prefer" A.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around."-- Simon Travaglia "Chesi Maurizio" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 02/03/2003 02:06 AM Please respond to freeradius-users To: <[EMAIL PROTECTED]> cc: "Continanza Biagio" <[EMAIL PROTECTED]>, "Beligni Davide" <[EMAIL PROTECTED]> Subject:FW: Load balancing over two freeRADIUS Server We have been asked to put a load balancer to distribuite the load between two radius servers. The architecture will encompasses a hardware load balancer in front of 2 freeRADIUS servers. We are wondering if this may cause a problem being the possibility that, for example an access-request may be managed by a server and, in case of challenge, the response access-request containing the response to the challenge may be managed by the other radius server. Thank you for any suggestion. Maurizio Chesi NETikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
Why you want to do that? This adds another point of failure to the system. Most of the NAS let you put two or more radius servers in the auth/acc config. That way you can do balancing and still have failure protection. Chesi Maurizio wrote: We have been asked to put a load balancer to distribuite the load between two radius servers. The architecture will encompasses a hardware load balancer in front of 2 freeRADIUS servers. We are wondering if this may cause a problem being the possibility that, for example an access-request may be managed by a server and, in case of challenge, the response access-request containing the response to the challenge may be managed by the other radius server. Thank you for any suggestion. Maurizio Chesi NETikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Load balancing over two freeRADIUS Server
Chesi Maurizio wrote: We have been asked to put a load balancer to distribuite the load between two radius servers. The architecture will encompasses a hardware load balancer in front of 2 freeRADIUS servers. We are wondering if this may cause a problem being the possibility that, for example an access-request may be managed by a server and, in case of challenge, the response access-request containing the response to the challenge may be managed by the other radius server. Thank you for any suggestion. Maurizio Chesi NETikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html why don;t you just split your access servers half on one machine primary and the other half on the other machine - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Load balancing over two freeRADIUS Server
We have been asked to put a load balancer to distribuite the load between two radius servers. The architecture will encompasses a hardware load balancer in front of 2 freeRADIUS servers. We are wondering if this may cause a problem being the possibility that, for example an access-request may be managed by a server and, in case of challenge, the response access-request containing the response to the challenge may be managed by the other radius server. Thank you for any suggestion. Maurizio Chesi NETikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html