Alan DeKok <[email protected]> wrote: > >> I want to implement a RADIUS load-balancing and failover scenario using >> FreeRadius and Cisco ACS. The idea I have in mind is to have these two >> servers answering to RADIUS requests in a round-robin fashion and should >> one of them for some reason go down, the other one would take care of >> answering to the RADIUS requests. > > You will need a load balancer in front of the two servers. > Round robin can be problematic as EAP sessions cannot be round-robined without some due care and attention spent in the load-balancer. The load-balancer also ironically provides a single point of failure :) >> Have any of you implemented such an scenario, using FreeRadius together >> with another RADIUS server from a different vendor? If so, what are the >> main problems you found doing this (incompatibility, high-maintenance >> costs, effort, etc)? >> >> I'd be very glad to hear from you as to why such an scenario >> make/doesn't make sense. > > I don't see why you would put two different servers into one > load-balance pool. And even worse, pairing a horrible server with a > great one! > Probably because you have to edit the FreeRADIUS sourcecode and recompile it to say 'Cisco' on it to appease manglement :)
Resilience we provision onsite here by anycast'ing our two FreeRADIUS boxes (http://www.open-rd.org/ [1]): http://www.digriz.org.uk/ha-ospf-anycast Cheers [1] ARM based box running Debian[2], for $150 that uses 7W of power, suitable for our needs, a university with 4000 students and 600 staff (mac-auth for all the workstations, LDAP backed and 802.1X for the students) [2] http://www.digriz.org.uk/kirkwood -- Alexander Clouter .sigmonster says: Stamp out organized crime!! Abolish the IRS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
