[RADIATOR] Load balancing RADIATOR with Cisco ACE
Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
EAP and OTP also requires pinning which I personally would always use. Am 2012-05-10 16:56, schrieb James: I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: (RADIATOR) Load Balancing Radiator
In the main global section BindAddress 10.0.0.1 Thats the one for the normal auth/accounting information to listen and respond with. Make it whichever ip bound to the nic, you want it to use and reload. - Original Message - From: "Chris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 1:18 PM Subject: (RADIATOR) Load Balancing Radiator I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) Has anyone run into the same problem? Here is my config: Foreground LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN LogDir /var/log/radiator DbDir /etc/raddb PidFile /var/run/radiusd.pid DictionaryFile /etc/raddb/dictionary.livingston AuthPort1812 AcctPort1813 SnmpgetProg /usr/local/bin/snmpget Trace 4 SocketQueueLength 10 Client 1.2.3.4 Secretx DefaultRealm xxx /Client Client 2.3.4.5 Secretx DefaultRealm xxx /Client Client 3.4.5.6 Secretx /Client Client 7.8.9.1 Secretxx /Client Client DEFAULT Secretxx DupInterval 2 NasType Livingston SNMPCommunity frii LivingstonOffs22 LivingstonHole1 /Client AuthBy GROUP Identifier Frii AuthByPolicy ContinueWhileReject AuthBy SQL AuthSelect AccountingStopsOnly DBSource x DBUsernamex DBAuthxx AcctSQLStatement insert into data values ('%n',%t,%{Acct /AuthBy AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy FILE Filename /etc/raddb/users-pop /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy /AuthBy /AuthBy AuthBy UNIX Identifier FriiSystem Filename /etc/mypasswd /AuthBy SessionDatabase SQL Identifier FriiSessions DBSource DBUsernamex DBAuthxx AddQuery replace into Sessions values. CountQuery select NASIDENTIFIER DeleteQuery delete from Sessions where . /SessionDatabase Realm /realm1/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Realm /realm2/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Handler AuthBy Frii SessionDatabase FriiSessions /Handler Chris Bissell| Front Range Internet, Inc. [EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED] Technical Operations | 970-224-3668 800-935-6527 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
I tried this, so also to listen only on that ip, however this also did not appear to work possibly because the ip is bound to the loopback (it has to be bound to the loopback because of the method of load balancing the Summit 7i is doing. So when I did this, radiator only responded to requests on 1.2.3.4 (which is configured on the loopback) but replied to those requests with the ethernet ip. I'm setting up a packet sniffer to confirm this wednesday AM so I don't have to rely on lucent debug. Chris In the main global section BindAddress 10.0.0.1 Thats the one for the normal auth/accounting information to listen and respond with. Make it whichever ip bound to the nic, you want it to use and reload. - Original Message - From: "Chris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 1:18 PM Subject: (RADIATOR) Load Balancing Radiator I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) Has anyone run into the same problem? Here is my config: Foreground LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN LogDir /var/log/radiator DbDir /etc/raddb PidFile /var/run/radiusd.pid DictionaryFile /etc/raddb/dictionary.livingston AuthPort1812 AcctPort1813 SnmpgetProg /usr/local/bin/snmpget Trace 4 SocketQueueLength 10 Client 1.2.3.4 Secretx DefaultRealm xxx /Client Client 2.3.4.5 Secretx DefaultRealm xxx /Client Client 3.4.5.6 Secretx /Client Client 7.8.9.1 Secretxx /Client Client DEFAULT Secretxx DupInterval 2 NasType Livingston SNMPCommunity frii LivingstonOffs22 LivingstonHole1 /Client AuthBy GROUP Identifier Frii AuthByPolicy ContinueWhileReject AuthBy SQL AuthSelect AccountingStopsOnly DBSource x DBUsernamex DBAuthxx AcctSQLStatement insert into data values ('%n',%t,%{Acct /AuthBy AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy FILE Filename /etc/raddb/users-pop /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy /AuthBy /AuthBy AuthBy UNIX Identifier FriiSystem Filename /etc/mypasswd /AuthBy SessionDatabase SQL Identifier FriiSessions DBSource DBUsernamex DBAuthxx AddQuery replace into Sessions values. CountQuery select NASIDENTIFIER DeleteQuery delete from Sessions where . /SessionDatabase Realm /realm1/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Realm /realm2/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Handler AuthBy Frii SessionDatabase FriiSessions /Handler Chris Bissell| Front Range Internet, Inc. [EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED] Technical Operations | 970-224-3668 800-935-6527 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. Chris Bissell| Front Range Internet, Inc. [EMAIL PROTECTED]| www.frii.com [EMAIL PROTECTED] Technical Operations | 970-224-3668 800-935-6527 === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Load Balancing Radiator
That is odd. I didnt mention it, but I also use load balancing, though with a Linux Server doing the clustering rather then a layer 2 switch. Same concept though, it intercepts the packets destined for the radius server ip address, and redirects them to the cluster nodes, who have the ips bound as loopback addresses, so that they will not respond to ARP broadcasts and interfere with the cluster server doings its job. Anyways, the BindAddress is working on my 3 Suns, Solaris 2.6 and 7.0, when using the loopback, clustered address. The only other time I had the problem like that, is when my NAS servers were speaking to the radius servers, by way of a different ip address then the replies were coming back from, as you surmised. However on every flavor of radius ive used, using a localaddress or bindaddress to force the issue has solved it. Heh sounds like a packet sniffer is the only way to go, as well as trace 4 logs on Radiator and any debug logs your NASs can produce. - Original Message - From: "Chris" [EMAIL PROTECTED] To: "Ron Hensley" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 5:21 PM Subject: Re: (RADIATOR) Load Balancing Radiator I tried this, so also to listen only on that ip, however this also did not appear to work possibly because the ip is bound to the loopback (it has to be bound to the loopback because of the method of load balancing the Summit 7i is doing. So when I did this, radiator only responded to requests on 1.2.3.4 (which is configured on the loopback) but replied to those requests with the ethernet ip. I'm setting up a packet sniffer to confirm this wednesday AM so I don't have to rely on lucent debug. Chris In the main global section BindAddress 10.0.0.1 Thats the one for the normal auth/accounting information to listen and respond with. Make it whichever ip bound to the nic, you want it to use and reload. - Original Message - From: "Chris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 16, 2000 1:18 PM Subject: (RADIATOR) Load Balancing Radiator I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) Has anyone run into the same problem? Here is my config: Foreground LogStdout #THIS LINE IS FOR TESTING, OUTPUT GOES TO SCREEN LogDir /var/log/radiator DbDir /etc/raddb PidFile /var/run/radiusd.pid DictionaryFile /etc/raddb/dictionary.livingston AuthPort1812 AcctPort1813 SnmpgetProg /usr/local/bin/snmpget Trace 4 SocketQueueLength 10 Client 1.2.3.4 Secretx DefaultRealm xxx /Client Client 2.3.4.5 Secretx DefaultRealm xxx /Client Client 3.4.5.6 Secretx /Client Client 7.8.9.1 Secretxx /Client Client DEFAULT Secretxx DupInterval 2 NasType Livingston SNMPCommunity frii LivingstonOffs22 LivingstonHole1 /Client AuthBy GROUP Identifier Frii AuthByPolicy ContinueWhileReject AuthBy SQL AuthSelect AccountingStopsOnly DBSource x DBUsernamex DBAuthxx AcctSQLStatement insert into data values ('%n',%t,%{Acct /AuthBy AuthBy GROUP AuthByPolicy ContinueUntilReject AuthBy FILE Filename /etc/raddb/users-pop /AuthBy AuthBy FILE Filename /etc/raddb/users /AuthBy /AuthBy /AuthBy AuthBy UNIX Identifier FriiSystem Filename /etc/mypasswd /AuthBy SessionDatabase SQL Identifier FriiSessions DBSource DBUsernamex DBAuthxx AddQuery replace into Sessions values. CountQuery select NASIDENTIFIER DeleteQuery delete from Sessions where . /SessionDatabase Realm /realm1/i RewriteUsername s/^([^@]+).*/$1/ AuthBy Frii SessionDatabase FriiSessions /Realm Realm /realm2/
Re: (RADIATOR) Load Balancing Radiator
Hello Chris - On Tue, 17 Oct 2000, Chris wrote: I'm trying to load balance radiator across three seperate servers with an Extreme Summit 7i switch. All servers respond correctly to requests out of the server farm. However when put in the server farm they respond to the authentication request with the ethernet ip even though the request was sent to an ip on the loopback. Because it is responding with a different ip than what the request was sent to, my portmasters are ignoring the response. I noticed the 6.27.11 LocalAddress tag but seems to only work with AuthBy Radius. Is there a way to have radiator respond with the ip that the request was sent to with AuthBy Unix? The manual implies that this is default but it doesn't seem to be doing it. (perhaps because the address is on the loopback?) You should use the "BindAddress" global parameter to set the address to your loopback. If the outbound packet has a different IP address, I would suspect that it is the operating system that is using the ethernet source IP address rather than Radiator. What system are you running on? hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.