We are using 6 RADIUS servers behind a SLB setup. We haven't run this during the semester, so this will be the first semester where all of the NAC appliances / RADIUS is LB. We are using our Enterasys S4 core to do this and a feature they call "Server Load Balancing" which is based on LSNAT. I believe we have stickiness turned on because that is required for our setup, although it is only sticky for that session. We LB based on concurrent connections to each server.
Currently, I have one of the servers out of the SLB group. But SLB does a good job so far. [image: Inline image 1] *--Jeremy L. Gibbs* Sr. Network Engineer Utica College IITS T: (315) 223-2383 F: (315) 792-3814 E: jlgi...@utica.edu http://www.utica.edu On Wed, Jul 6, 2016 at 11:33 AM, Curtis K. Larsen <curtis.k.lar...@utah.edu> wrote: > We have 10 back-end FreeRADIUS VM's (5 in each data center) and two > front-end FreeRADIUS Load > balancers (1 in each DC). We've used this config successfully for about 6 > years. FreeRADIUS > natively load balances quite well and we do it based on calling-station-id > so it is sticky and > balanced very evenly. In fact, we tried at one point to use Netscalers > and found that FreeRADIUS > handled the health-checking aspects a little better and provided better > visibility with graphs > using graphite/tessera , radsniff, etc. We normally do about 300 > requests/sec as well, but I've > seen it as high as 1,000 the first two weeks of school. > > We get commercial support from PacketFence/Inverse on this configuration. > > > Thanks, > > -- > Curtis K. Larsen > Senior Network Engineer > University of Utah IT/CIS > > > > On Wed, July 6, 2016 9:07 am, Joe Rogers wrote: > > > > We're running a cluster of 8 FreeRADIUS servers behind two pairs of > > Citrix Netscaler's in different data centers which inject two anycast-IP > > VIPs into our backbone routing tables. This has worked very well in our > > environment for many years. If a Netscaler fails or the member servers > > behind it fail, the route is simply withdrawn and traffic switches over > > to the other data center's Netscalers. We made sure to keep sessions > > 'sticky' to a given server as long as everything is operating normally. > > We use the NAS IP addr for persistence. It doesn't provide perfectly > > even load-balancing over the servers (some NAS' are busier than > > others). But, it worked well enough for us. The servers generally see > > around 300 requests/sec (auth and acct combined) during a normal > semester. > > > > *Joe Rogers* > > Associate Director, Network Engineering > > > > University of South Florida – Information Technology > > 4202 E. Fowler Avenue, SVC4010, Tampa, FL, 33620 > > j...@usf.edu | Tel: (813) 974-7369 > > www.usf.edu/it | Facebook: /USF Information Technology | Twitter: @ > USF_IT > > > > On 07/06/2016 09:16 AM, Dennis Xu wrote: > >> Hello, > >> Has anyone had success stories about deploying RADIUS servers behind > >> load balancers to support large number of concurrent 802.1X users? We > >> just deployed 5 FreeRADIUS servers behind Cisco ACE and observed > >> packets drop issues at ACE. By far, I suspect the issue was caused by > >> the RADIUS stickiness(by calling-station-ID). Has anyone deployed > >> RADIUS load balancing without using stickiness? > >> > >> Thanks. > >> > >> > >> Dennis Xu, MASc, CCIE #13056 > >> Analyst 3, Network Infrastructure > >> Computing and Communications Services(CCS) > >> University of Guelph > >> > >> 519-824-4120 Ext 56217 > >> d...@uoguelph.ca > >> www.uoguelph.ca/ccs > >> > >> ********** Participation and subscription information for this > >> EDUCAUSE Constituent Group discussion list can be found at > >> http://www.educause.edu/groups/. > >> > > > > > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > > be found at http://www.educause.edu/groups/. > > > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
