> > We are designing a solution utilizing PacketFence for an environment > consisting of around ~5000 devices, wired and wireless, utilizing > 802.1x, guest self-registration, and gaming device registration. > PacketFence will run as a VM. > > I have experimented with the Linux HA configuration recommendation in > the Administrator's guide, and at this point, I would prefer to find a > different solution for load balancing and failover. I am hoping some > of you might be able to answer a few questions... So you want active/active? > > 1) Has anyone put PacketFence behind a Cisco IP SLB? Specifically, > would there be any issues configuring a virtual IP for both the > FreeRadius aspect, and the captive portal part on the registration > VLAN? It seems like it should work fine to me, but I could be missing > something... If you plan to do active/active by load balancing the web traffic, you have to be careful on couple items. For example, the dhcplisteners will do mess in the database if you have more than one process running. Some customers are using active/active, but they did some magic to split the services in multiple tiers. For example, they created a VIP for the FR tier (authentication), another one for the portal, but they kept active/passive for the other services and the database. So you may end up with 6+ machines running PF services. > > 2) Are there any sizing/scaling guidelines for PacketFence? I haven't > been able to find any other than the minimums in the administrator's > guide. 5000 users is fairly small... really. Even with 802.1X, FR is doing a fantastic job dealing with that. For the FR boxes, 2vCPU and 4GB ram is plenty. I would simply double the minimums for the rest. The biggest RAM and CPU consumers are the DB and the Portal, and also pfsetvlan. > > 3) Are there any quirks or bugs I should be aware of when scaling up > to that number of devices? Not really. You may want to optimize the database side a little bit tho. > > 4) Does anyone have any suggestions on a way to implement a "let > everyone authorize" failover option? In our particular environment, if > PacketFence were to go down for some reason, my preference would be > that everyone automatically get put on the access vlan configured on > the switch. I was thinking of a separate FreeRadius server configured > to just authorize everyone set as a secondary or tertiary aaa server > in the various switches. Some switch vendors allow the network administrator to configure that. I know Cisco and HP switches allow it. You can decide, if for example the FR server is declared dead, to authorize the phones and authorize the users but on a temporary guest vlan. Combined with periodic reauthentication, you won't have to do anything once the aaa server will be alive, the port will reauth after the period (e.g 30min), and the user will be put on the right vlan.
On top of my head, for Cisco: authentication event server dead action authorize voice authentication event server dead action authorize vlan id_of_guest_vlan Francois > > I intend to have a separate DB server, possibly with MySQL clustering, > to handle that aspect. > > Any advice would be greatly appreciated! > > Regards, > -- > Fletcher Haynes <[email protected] <mailto:[email protected]>> > Systems Administrator/Network Services Consultant > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault Architecte de Solution Cloud | Cloud Solutions Architect [email protected] 514-629-6775 - - - CloudOps 420 rue Guy Montréal QC H3J 1S6 www.cloudops.com @CloudOps_ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
