Hi,
Kalik's advices are very good - just to add some words:
Certainly such a failover is achieved on the client side. NAS's have
options to do that. On Cisco VoIP routers e.g.you can do it with the
RADIUS groups. You can have broadcast groups to achieve redundancy -
send the requests to multiple RADIUS servers and normal failover
groups. There are examples in the FreeRADIUS docs but check the NASs
manuals too. You can usually configure also parameters like timeouts,
retransmits etc
On 17.04.2009, at 22:44, "Ivan Kalik" <[email protected]> wrote:
Anyway, I've been wondering how many servers are required to have a
proper
(i.e. no single point of failure) on the freeradius side of things.
Two. One active and other as "hot" standby.
I know that I can have one freeradius server proxying requests to any
number of authorization and/or accounting servers - great.
But you want to avoid single point of failure - so that is out.
But, what if I don't want to proxy and only want two freeradius
servers
that do auth, and two separate servers for accounting?
No need for extra accounting servers. Each server can do both
authentication
and handle accounting failover.
I can conceptualize a cluster or even simple fail over using
heartbeat for
the database bit.
No need.
What I don't understand is how the failover and load balancing is
done on
the freeradius level (i.e. for auth) and still enter a single IP for
freeradius on the NAS.
It's not done that way. Your NAS should have primary and backup radius
servers defined. Almost any NAS should be able to handle that. It
will send
requests to primary server until it stops responding; then it will
switch to
secondary. This is all handled on NAS side - no freeradius
involvement (it
is hard for a dead server to get involved). You can use single IP on
the NAS
and configure a cluster/hartbeat/etc. but it is a bit over the top.
Am I supposed to configure a virtual server on the first freeradius
server,
copy the config to the second machine,
Yes. Two identical configurations using buffered-sql or
ronust-proxy-accounting to send accounting to the database (or it's
backups)
on top of default stuff. Even if you use load balancing (EAP can't
work that
way - all EAP exchanges need to go to the same server) you don't
need to
proxy accounting from one server to the other - both will read/write
to the
same database(s).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
