[RADIATOR] Load balancing RADIATOR with Cisco ACE
Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
EAP and OTP also requires pinning which I personally would always use. Am 2012-05-10 16:56, schrieb James: I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) Load Balancing Radiator
In the main global section
BindAddress 10.0.0.1
Thats the one for the normal auth/accounting information to listen and
respond with.
Make it whichever ip bound to the nic, you want it to use and reload.
- Original Message -
From: "Chris" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 16, 2000 1:18 PM
Subject: (RADIATOR) Load Balancing Radiator
I'm trying to load balance radiator across three seperate servers
with an Extreme Summit 7i switch. All servers respond correctly to
requests out of the server farm. However when put in the server farm they
respond to the authentication request with the ethernet ip even though the
request was sent to an ip on the loopback. Because it is responding with
a different ip than what the request was sent to, my portmasters are
ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems
to only work with AuthBy Radius. Is there a way to have radiator respond
with the ip that the request was sent to with AuthBy Unix? The manual
implies that this is default but it doesn't seem to be doing it. (perhaps
because the address is on the loopback?)
Has anyone run into the same problem?
Here is my config:
Foreground
LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN
LogDir /var/log/radiator
DbDir /etc/raddb
PidFile /var/run/radiusd.pid
DictionaryFile /etc/raddb/dictionary.livingston
AuthPort1812
AcctPort1813
SnmpgetProg /usr/local/bin/snmpget
Trace 4
SocketQueueLength 10
Client 1.2.3.4
Secretx
DefaultRealm xxx
/Client
Client 2.3.4.5
Secretx
DefaultRealm xxx
/Client
Client 3.4.5.6
Secretx
/Client
Client 7.8.9.1
Secretxx
/Client
Client DEFAULT
Secretxx
DupInterval 2
NasType Livingston
SNMPCommunity frii
LivingstonOffs22
LivingstonHole1
/Client
AuthBy GROUP
Identifier Frii
AuthByPolicy ContinueWhileReject
AuthBy SQL
AuthSelect
AccountingStopsOnly
DBSource x
DBUsernamex
DBAuthxx
AcctSQLStatement insert into data values ('%n',%t,%{Acct
/AuthBy
AuthBy GROUP
AuthByPolicy ContinueUntilReject
AuthBy FILE
Filename /etc/raddb/users-pop
/AuthBy
AuthBy FILE
Filename /etc/raddb/users
/AuthBy
/AuthBy
/AuthBy
AuthBy UNIX
Identifier FriiSystem
Filename /etc/mypasswd
/AuthBy
SessionDatabase SQL
Identifier FriiSessions
DBSource
DBUsernamex
DBAuthxx
AddQuery replace into Sessions values.
CountQuery select NASIDENTIFIER
DeleteQuery delete from Sessions where .
/SessionDatabase
Realm /realm1/i
RewriteUsername s/^([^@]+).*/$1/
AuthBy Frii
SessionDatabase FriiSessions
/Realm
Realm /realm2/i
RewriteUsername s/^([^@]+).*/$1/
AuthBy Frii
SessionDatabase FriiSessions
/Realm
Handler
AuthBy Frii
SessionDatabase FriiSessions
/Handler
Chris Bissell| Front Range Internet, Inc.
[EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED]
Technical Operations | 970-224-3668 800-935-6527
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
I tried this, so also to listen only on that ip, however this also did not
appear to work possibly because the ip is bound to the loopback (it has to
be bound to the loopback because of the method of load balancing the
Summit 7i is doing.
So when I did this, radiator only responded to requests on 1.2.3.4 (which
is configured on the loopback) but replied to those requests with the
ethernet ip.
I'm setting up a packet sniffer to confirm this wednesday AM so I don't
have to rely on lucent debug.
Chris
In the main global section
BindAddress 10.0.0.1
Thats the one for the normal auth/accounting information to listen and
respond with.
Make it whichever ip bound to the nic, you want it to use and reload.
- Original Message -
From: "Chris" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 16, 2000 1:18 PM
Subject: (RADIATOR) Load Balancing Radiator
I'm trying to load balance radiator across three seperate servers
with an Extreme Summit 7i switch. All servers respond correctly to
requests out of the server farm. However when put in the server farm they
respond to the authentication request with the ethernet ip even though the
request was sent to an ip on the loopback. Because it is responding with
a different ip than what the request was sent to, my portmasters are
ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems
to only work with AuthBy Radius. Is there a way to have radiator respond
with the ip that the request was sent to with AuthBy Unix? The manual
implies that this is default but it doesn't seem to be doing it. (perhaps
because the address is on the loopback?)
Has anyone run into the same problem?
Here is my config:
Foreground
LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN
LogDir /var/log/radiator
DbDir /etc/raddb
PidFile /var/run/radiusd.pid
DictionaryFile /etc/raddb/dictionary.livingston
AuthPort1812
AcctPort1813
SnmpgetProg /usr/local/bin/snmpget
Trace 4
SocketQueueLength 10
Client 1.2.3.4
Secretx
DefaultRealm xxx
/Client
Client 2.3.4.5
Secretx
DefaultRealm xxx
/Client
Client 3.4.5.6
Secretx
/Client
Client 7.8.9.1
Secretxx
/Client
Client DEFAULT
Secretxx
DupInterval 2
NasType Livingston
SNMPCommunity frii
LivingstonOffs22
LivingstonHole1
/Client
AuthBy GROUP
Identifier Frii
AuthByPolicy ContinueWhileReject
AuthBy SQL
AuthSelect
AccountingStopsOnly
DBSource x
DBUsernamex
DBAuthxx
AcctSQLStatement insert into data values ('%n',%t,%{Acct
/AuthBy
AuthBy GROUP
AuthByPolicy ContinueUntilReject
AuthBy FILE
Filename /etc/raddb/users-pop
/AuthBy
AuthBy FILE
Filename /etc/raddb/users
/AuthBy
/AuthBy
/AuthBy
AuthBy UNIX
Identifier FriiSystem
Filename /etc/mypasswd
/AuthBy
SessionDatabase SQL
Identifier FriiSessions
DBSource
DBUsernamex
DBAuthxx
AddQuery replace into Sessions values.
CountQuery select NASIDENTIFIER
DeleteQuery delete from Sessions where .
/SessionDatabase
Realm /realm1/i
RewriteUsername s/^([^@]+).*/$1/
AuthBy Frii
SessionDatabase FriiSessions
/Realm
Realm /realm2/i
RewriteUsername s/^([^@]+).*/$1/
AuthBy Frii
SessionDatabase FriiSessions
/Realm
Handler
AuthBy Frii
SessionDatabase FriiSessions
/Handler
Chris Bissell| Front Range Internet, Inc.
[EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED]
Technical Operations | 970-224-3668 800-935-6527
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Chris Bissell| Front Range Internet, Inc.
[EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED]
Technical Operations | 970-224-3668 800-935-6527
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
That is odd. I didnt mention it, but I also use load balancing, though with
a Linux Server doing the clustering
rather then a layer 2 switch. Same concept though, it intercepts the packets
destined for the radius server
ip address, and redirects them to the cluster nodes, who have the ips bound
as loopback addresses, so
that they will not respond to ARP broadcasts and interfere with the cluster
server doings its job.
Anyways, the BindAddress is working on my 3 Suns, Solaris 2.6 and 7.0, when
using the loopback, clustered
address. The only other time I had the problem like that, is when my NAS
servers were speaking to
the radius servers, by way of a different ip address then the replies were
coming back from, as you surmised.
However on every flavor of radius ive used, using a localaddress or
bindaddress to force the issue has solved it.
Heh sounds like a packet sniffer is the only way to go, as well as trace 4
logs on Radiator and any debug
logs your NASs can produce.
- Original Message -
From: "Chris" [EMAIL PROTECTED]
To: "Ron Hensley" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, October 16, 2000 5:21 PM
Subject: Re: (RADIATOR) Load Balancing Radiator
I tried this, so also to listen only on that ip, however this also did not
appear to work possibly because the ip is bound to the loopback (it has to
be bound to the loopback because of the method of load balancing the
Summit 7i is doing.
So when I did this, radiator only responded to requests on 1.2.3.4 (which
is configured on the loopback) but replied to those requests with the
ethernet ip.
I'm setting up a packet sniffer to confirm this wednesday AM so I don't
have to rely on lucent debug.
Chris
In the main global section
BindAddress 10.0.0.1
Thats the one for the normal auth/accounting information to listen and
respond with.
Make it whichever ip bound to the nic, you want it to use and reload.
- Original Message -
From: "Chris" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 16, 2000 1:18 PM
Subject: (RADIATOR) Load Balancing Radiator
I'm trying to load balance radiator across three seperate servers
with an Extreme Summit 7i switch. All servers respond correctly to
requests out of the server farm. However when put in the server farm
they
respond to the authentication request with the ethernet ip even though
the
request was sent to an ip on the loopback. Because it is responding
with
a different ip than what the request was sent to, my portmasters are
ignoring the response. I noticed the 6.27.11 LocalAddress tag but
seems
to only work with AuthBy Radius. Is there a way to have radiator
respond
with the ip that the request was sent to with AuthBy Unix? The manual
implies that this is default but it doesn't seem to be doing it.
(perhaps
because the address is on the loopback?)
Has anyone run into the same problem?
Here is my config:
Foreground
LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN
LogDir /var/log/radiator
DbDir /etc/raddb
PidFile /var/run/radiusd.pid
DictionaryFile /etc/raddb/dictionary.livingston
AuthPort1812
AcctPort1813
SnmpgetProg /usr/local/bin/snmpget
Trace 4
SocketQueueLength 10
Client 1.2.3.4
Secretx
DefaultRealm xxx
/Client
Client 2.3.4.5
Secretx
DefaultRealm xxx
/Client
Client 3.4.5.6
Secretx
/Client
Client 7.8.9.1
Secretxx
/Client
Client DEFAULT
Secretxx
DupInterval 2
NasType Livingston
SNMPCommunity frii
LivingstonOffs22
LivingstonHole1
/Client
AuthBy GROUP
Identifier Frii
AuthByPolicy ContinueWhileReject
AuthBy SQL
AuthSelect
AccountingStopsOnly
DBSource x
DBUsernamex
DBAuthxx
AcctSQLStatement insert into data values ('%n',%t,%{Acct
/AuthBy
AuthBy GROUP
AuthByPolicy ContinueUntilReject
AuthBy FILE
Filename /etc/raddb/users-pop
/AuthBy
AuthBy FILE
Filename /etc/raddb/users
/AuthBy
/AuthBy
/AuthBy
AuthBy UNIX
Identifier FriiSystem
Filename /etc/mypasswd
/AuthBy
SessionDatabase SQL
Identifier FriiSessions
DBSource
DBUsernamex
DBAuthxx
AddQuery replace into Sessions values.
CountQuery select NASIDENTIFIER
DeleteQuery delete from Sessions where .
/SessionDatabase
Realm /realm1/i
RewriteUsername s/^([^@]+).*/$1/
AuthBy Frii
SessionDatabase FriiSessions
/Realm
Realm /realm2/
Re: (RADIATOR) Load Balancing Radiator
Hello Chris - On Tue, 17 Oct 2000, Chris wrote: I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) You should use the "BindAddress" global parameter to set the address to your loopback. If the outbound packet has a different IP address, I would suspect that it is the operating system that is using the ethernet source IP address rather than Radiator. What system are you running on? hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
