[RADIATOR] Radiator Load Balancing
Hello, Right now we are using Radiator's own load balancer. Would using an F5 Load Balancer to load balance make any sense and would it work? Their product is here: https://f5.com We use it for other services but they are all tcp based. Thanks! --- Roberto Ullfig - rull...@uic.edu ACCC Research Programmer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing EAP (radiator Digest, Vol 61, Issue 15)
On 06/19/2014 11:26 PM, Barry Ard wrote: I have been asked to investigate the possibility of using our F5 load balancers in our wireless infrastructure. We currently have 2 large servers and load balance using the EAPBalance handler. We currently allow the PEAP and TTLS EAP types. I'm currently running Radiator behind a load balancer (not F5) and it's working well. The key issues for me were: * make sure vip port consistently maps each client IP to the same real server, to avoid breaking EAP conversations. [there might be other ways to do this with better granularity, especially if your load balancer comprehends EAP, but I took the path of maximum safety. We have enough distinct wireless controllers that mapping each entire controller to one RADIUS server at a time is fine.] * Important exception: make sure this mapping is automatically adjusted whenever a real server port goes down _or_ comes back up! [I spent a while testing different ways to configure the load balancer behavior until I found one that behaved well in this regard. Not F5 so I can't help with details, just make sure you do plenty of testing.] * use actual RADIUS requests for the health check, and make sure you configure Radiator to answer them in such a way that any failure mode which would prevent real wireless auths from working will also cause the health check to fail. [e.g. if you depend on a back-end connection to Active Directory, as I do, make sure your health check exercises that.] Our goals are: 1. With multiple servers behind the load balancers we will be able to remove one from use for maintenance without impacting service. Yes! 2. We also hope that we may be able to have a single SSL cert so that when the next HeartBleed like event happens updating certs on 2 servers won't have our user base freaking out. Yes, but this shouldn't require load balancing; you can always install the same SSL cert and key on as many Radiator boxes as you want. A wireless supplicant only cares about the name (Subject CN) on the certificate; it never even knows the DNS hostname or IP address of the RADIUS server, so (unlike with a webserver) it doesn't matter if the DNS hostname matches the cert or not. HTH, David ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Load balancing EAP
Hello Group, I have been asked to investigate the possibility of using our F5 load balancers in our wireless infrastructure. We currently have 2 large servers and load balance using the EAPBalance handler. We currently allow the PEAP and TTLS EAP types. Our goals are: 1. With multiple servers behind the load balancers we will be able to remove one from use for maintenance without impacting service. 2. We also hope that we may be able to have a single SSL cert so that when the next HeartBleed like event happens updating certs on 2 servers won't have our user base freaking out. Any incites or advice - or tell me I am stupid - is appreciated. Thanks, Barry -- Barry Ard barry@ualberta.ca IST University of Alberta Edmonton, Alberta Canada ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Load balancing RADIATOR with Cisco ACE
Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
EAP and OTP also requires pinning which I personally would always use. Am 2012-05-10 16:56, schrieb James: I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
(RADIATOR) Load Balancing
Title: Load Balancing Hi, We are using Ericsson GSN, the primary and secondary failover timer in GSN is restricted to merely 6 seconds. After these 6 secs, it drops the call. So our radiator server need to respond very fast, I mean fast in doing username/password authentication, accounting logging, ip address allocation and forward accounting information to 3rd party business partners and reply back to GSN at last. If we divide 6 secs into 2 halves, there will be only 3 secs for primary radius, and 3 secs for secondary radius. Our first question is it possible to change the behaviour (perhaps an extra parameter) of AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE so that when radius proxy does not receive response from the first radius server, then just stop it and let the radius server marked failure and reply nothing to GSN. Let the radius server sit still until FailureBackupoffTime is reached. Do not even try to forward request to the second listed, until the list is exhausted. Second can we set the timeout value (perhaps to zero) for the very first accounting forward packet. The RetryTimeout only suitable for retransmitting packet. Lost accounting packet is not a concern to us, as long as the radius server work very fast. We tried optimize every things such as using radius proxy to distribute loading to several radius server, put database server in another unix box, field indexing, lots of memory and etc. Maybe our question is a bit strange. Perhaps someone can suggest us a workaround. Thanks. Regards, Harrison SmarTone BroadBand Services Ltd.
Re: (RADIATOR) Load Balancing
Hello Harrison - On Monday 10 September 2001 17:20, Harrison Ng wrote: Hi, We are using Ericsson GSN, the primary and secondary failover timer in GSN is restricted to merely 6 seconds. After these 6 secs, it drops the call. OK So our radiator server need to respond very fast, I mean fast in doing username/password authentication, accounting logging, ip address allocation and forward accounting information to 3rd party business partners and reply back to GSN at last. If we divide 6 secs into 2 halves, there will be only 3 secs for primary radius, and 3 secs for secondary radius. Normally, requests should be processed in a relatively small number of milliseconds, so you should be in good shape. Our first question is it possible to change the behaviour (perhaps an extra parameter) of AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE so that when radius proxy does not receive response from the first radius server, then just stop it and let the radius server marked failure and reply nothing to GSN. Let the radius server sit still until FailureBackupoffTime is reached. Do not even try to forward request to the second listed, until the list is exhausted. I'm afraid I don't understand the above - why use load balancing at all? Second can we set the timeout value (perhaps to zero) for the very first accounting forward packet. The RetryTimeout only suitable for retransmitting packet. Lost accounting packet is not a concern to us, as long as the radius server work very fast. You can use AccountingHandled in the Handler (or Realm) and the IgnoreAccountingResponse in the AuthBy RADIUS clause to do this. We tried optimize every things such as using radius proxy to distribute loading to several radius server, put database server in another unix box, field indexing, lots of memory and etc. Maybe our question is a bit strange. Perhaps someone can suggest us a workaround. Thanks. I think you will need to do some tests to discover the real-world performance of your system, as well as some end user tests to see what is (un)acceptable. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
In the main global section BindAddress 10.0.0.1 Thats the one for the normal auth/accounting information to listen and respond with. Make it whichever ip bound to the nic, you want it to use and reload. - Original Message - From: "Chris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 1:18 PM Subject: (RADIATOR) Load Balancing Radiator I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) Has anyone run into the same problem? Here is my config: Foreground LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN LogDir /var/log/radiator DbDir /etc/raddb PidFile /var/run/radiusd.pid DictionaryFile /etc/raddb/dictionary.livingston AuthPort1812 AcctPort1813 SnmpgetProg /usr/local/bin/snmpget Trace 4 SocketQueueLength 10 Client 1.2.3.4 Secretx DefaultRealm xxx /Client Client 2.3.4.5 Secretx DefaultRealm xxx /Client Client 3.4.5.6 Secretx /Client Client 7.8.9.1 Secretxx /Client Client DEFAULT Secretxx DupInterval 2 NasType Livingston SNMPCommunity frii LivingstonOffs22 LivingstonHole1 /Client AuthBy GROUP Identifier Frii AuthByPolicy ContinueWhileReject AuthBy SQL AuthSelect AccountingStopsOnly DBSource x DBUsernamex DBAuthxx AcctSQLStatement insert into data values ('%n',%t,%{Acct /AuthBy AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy FILE Filename /etc/raddb/users-pop /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy /AuthBy /AuthBy AuthBy UNIX Identifier FriiSystem Filename /etc/mypasswd /AuthBy SessionDatabase SQL Identifier FriiSessions DBSource DBUsernamex DBAuthxx AddQuery replace into Sessions values. CountQuery select NASIDENTIFIER DeleteQuery delete from Sessions where . /SessionDatabase Realm /realm1/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Realm /realm2/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Handler AuthBy Frii SessionDatabase FriiSessions /Handler Chris Bissell| Front Range Internet, Inc. [EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED] Technical Operations | 970-224-3668 800-935-6527 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
I tried this, so also to listen only on that ip, however this also did not appear to work possibly because the ip is bound to the loopback (it has to be bound to the loopback because of the method of load balancing the Summit 7i is doing. So when I did this, radiator only responded to requests on 1.2.3.4 (which is configured on the loopback) but replied to those requests with the ethernet ip. I'm setting up a packet sniffer to confirm this wednesday AM so I don't have to rely on lucent debug. Chris In the main global section BindAddress 10.0.0.1 Thats the one for the normal auth/accounting information to listen and respond with. Make it whichever ip bound to the nic, you want it to use and reload. - Original Message - From: "Chris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 1:18 PM Subject: (RADIATOR) Load Balancing Radiator I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) Has anyone run into the same problem? Here is my config: Foreground LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN LogDir /var/log/radiator DbDir /etc/raddb PidFile /var/run/radiusd.pid DictionaryFile /etc/raddb/dictionary.livingston AuthPort1812 AcctPort1813 SnmpgetProg /usr/local/bin/snmpget Trace 4 SocketQueueLength 10 Client 1.2.3.4 Secretx DefaultRealm xxx /Client Client 2.3.4.5 Secretx DefaultRealm xxx /Client Client 3.4.5.6 Secretx /Client Client 7.8.9.1 Secretxx /Client Client DEFAULT Secretxx DupInterval 2 NasType Livingston SNMPCommunity frii LivingstonOffs22 LivingstonHole1 /Client AuthBy GROUP Identifier Frii AuthByPolicy ContinueWhileReject AuthBy SQL AuthSelect AccountingStopsOnly DBSource x DBUsernamex DBAuthxx AcctSQLStatement insert into data values ('%n',%t,%{Acct /AuthBy AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy FILE Filename /etc/raddb/users-pop /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy /AuthBy /AuthBy AuthBy UNIX Identifier FriiSystem Filename /etc/mypasswd /AuthBy SessionDatabase SQL Identifier FriiSessions DBSource DBUsernamex DBAuthxx AddQuery replace into Sessions values. CountQuery select NASIDENTIFIER DeleteQuery delete from Sessions where . /SessionDatabase Realm /realm1/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Realm /realm2/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Handler AuthBy Frii SessionDatabase FriiSessions /Handler Chris Bissell| Front Range Internet, Inc. [EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED] Technical Operations | 970-224-3668 800-935-6527 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. Chris Bissell| Front Range Internet, Inc. [EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED] Technical Operations | 970-224-3668 800-935-6527 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
That is odd. I didnt mention it, but I also use load balancing, though with a Linux Server doing the clustering rather then a layer 2 switch. Same concept though, it intercepts the packets destined for the radius server ip address, and redirects them to the cluster nodes, who have the ips bound as loopback addresses, so that they will not respond to ARP broadcasts and interfere with the cluster server doings its job. Anyways, the BindAddress is working on my 3 Suns, Solaris 2.6 and 7.0, when using the loopback, clustered address. The only other time I had the problem like that, is when my NAS servers were speaking to the radius servers, by way of a different ip address then the replies were coming back from, as you surmised. However on every flavor of radius ive used, using a localaddress or bindaddress to force the issue has solved it. Heh sounds like a packet sniffer is the only way to go, as well as trace 4 logs on Radiator and any debug logs your NASs can produce. - Original Message - From: "Chris" [EMAIL PROTECTED] To: "Ron Hensley" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 5:21 PM Subject: Re: (RADIATOR) Load Balancing Radiator I tried this, so also to listen only on that ip, however this also did not appear to work possibly because the ip is bound to the loopback (it has to be bound to the loopback because of the method of load balancing the Summit 7i is doing. So when I did this, radiator only responded to requests on 1.2.3.4 (which is configured on the loopback) but replied to those requests with the ethernet ip. I'm setting up a packet sniffer to confirm this wednesday AM so I don't have to rely on lucent debug. Chris In the main global section BindAddress 10.0.0.1 Thats the one for the normal auth/accounting information to listen and respond with. Make it whichever ip bound to the nic, you want it to use and reload. - Original Message - From: "Chris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 1:18 PM Subject: (RADIATOR) Load Balancing Radiator I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) Has anyone run into the same problem? Here is my config: Foreground LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN LogDir /var/log/radiator DbDir /etc/raddb PidFile /var/run/radiusd.pid DictionaryFile /etc/raddb/dictionary.livingston AuthPort1812 AcctPort1813 SnmpgetProg /usr/local/bin/snmpget Trace 4 SocketQueueLength 10 Client 1.2.3.4 Secretx DefaultRealm xxx /Client Client 2.3.4.5 Secretx DefaultRealm xxx /Client Client 3.4.5.6 Secretx /Client Client 7.8.9.1 Secretxx /Client Client DEFAULT Secretxx DupInterval 2 NasType Livingston SNMPCommunity frii LivingstonOffs22 LivingstonHole1 /Client AuthBy GROUP Identifier Frii AuthByPolicy ContinueWhileReject AuthBy SQL AuthSelect AccountingStopsOnly DBSource x DBUsernamex DBAuthxx AcctSQLStatement insert into data values ('%n',%t,%{Acct /AuthBy AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy FILE Filename /etc/raddb/users-pop /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy /AuthBy /AuthBy AuthBy UNIX Identifier FriiSystem Filename /etc/mypasswd /AuthBy SessionDatabase SQL Identifier FriiSessions DBSource DBUsernamex DBAuthxx AddQuery replace into Sessions values. CountQuery select NASIDENTIFIER DeleteQuery delete from Sessions where . /SessionDatabase Realm /realm1/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Realm /realm2/
Re: (RADIATOR) Load Balancing Radiator
Hello Chris - On Tue, 17 Oct 2000, Chris wrote: I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) You should use the "BindAddress" global parameter to set the address to your loopback. If the outbound packet has a different IP address, I would suspect that it is the operating system that is using the ethernet source IP address rather than Radiator. What system are you running on? hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.