Hi Martijn, Many tks for your comments.
The problem is that we have a production network and we are using a RADIUS service with a huge DB (no chance to change it). Actually, this is an ISP service (server authenticating Internet users), so all users asks for authentication to the same Virtual IP (many servers behind with distributed DB) One solution we had in mind was to change the source-port portion of every packet, so the Content Switch would correctly perform the SLB... As we did not find any feature to perform this job, we are thinking in changing boxes to Radware. =) Best regards, Rodrigo Kazuo Yamamoto escreveu na mensagem news:[EMAIL PROTECTED] No radius load-balancing here, just sysadmin handy. Maybe you should check Steel-Belted or something for scalability. My experience is that Radiusserver load is VERY low due to little amount of packets (small DB ofcourse). Loadbalancing VPN client scenario: Imagine 2 windows 2000 boxes (sorry) with ias installed and configured (MS Radius=works ok) Then based on for example 2 different VPN-groups (say in PIX) the PIX is configured to contact Radiusserver1 or for the other group Radiusserver2. So preferred for 50% of the users (different vpn-group) 1st server, other 50 % second server. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.h tm#1070086 For pix: AAA server group tag (max 14 server groups) (max 14 servers per group , so fail-over) For hardware boxes IOS 12.2 SAYS: You can put multiple hosts in a server group. Just do Radiusserver1 1st in servergroup in 50% of the routers, say westcoast, south of state, and 50% Radiusserver 2 1st in servergroup. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec ur_c/fsecsp/scfrad.htm#1001000 If two different host entries on the same RADIUS server are configured for the same service-for example, accounting-the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order in which they are configured.) Martijn -----Oorspronkelijk bericht----- Van: Rodrigo Kazuo Yamamoto [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 29 juli 2003 5:17 Aan: [EMAIL PROTECTED] Onderwerp: RADIUS load-balancing [7:73138] Hi list, Does anyone have experience with CSS' server load-balancing, specifically RADIUS load-balancing? We got the following situation: LAC is generating all user authentication packets using an unique source port / source address pair. What happens: CSS treats all packets as an unique flow (as they seems to come from the same IP+port pair), so we got a problem with the server load-balancing... This behavior does make sense in almost all IP transactions, but not with RADIUS (as there is no need for flow persistence) so we'd like to overcome this limitation, due to our specific situation... Anyone has some idea to change this behavior on CSS boxes? * By the way, any thoughts in Alteon or Radware boxes? We have heard we can change this behavior on an Alteon box (with some limitations) and that the Radware box has an specific feature called RADIUS load-balancing, that solves this problem... is that right? Best regards. Rodrigo Kazuo Yamamoto Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73163&t=73138 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]