Hi Jason,
I was having issues with the failover working 100% of the time. Several
times, they seemed to get into a state where one node would take over, and
the other would then immediately try to grab control, and they would go
back and forth. In another test, where I took one node down, the log was
spammed with messages about it attempting take over, but that it narrowly
avoided a reboot.
I'm sure these could all be addressed, and it made to work, but Heartbeat
and DRBD are two things we have never deployed in our environment. There
are two of us that could troubleshoot PF in case of an outage, and neither
of us wants to try to remember how Heartbeat is configured, or try to
troubleshoot a technology we have deployed only in one location and that we
haven't touched for potentially months.
Thank you for the guidelines on sizing. I think we'll be fine as well.
Our intention for PacketFence is to provide a captive portal for guest
users, and 802.1x for students/staff/faculty on our wireless (we are a
residential university) with accounting. There is no sensitive data
accessible from our wifi network, and we are not concerned about a DOS
against PF granting access. The goal is if PacketFence goes down for some
reason, we want everyone to be able to associate to whatever SSID until we
resolve the issue.
Thank you, Francois, for the Cisco commands. It would work great for wired,
but I can't seem to find equivalent functionality for our WLCs. I suppose a
custom script to reconfigure the SSIDs in the event PF stops responding
could accomplish the same affect.
Thank you both!
On Wed, Jun 26, 2013 at 7:41 AM, Jason Frisvold <[email protected]>wrote:
> Fletcher Haynes wrote:
> > Hello,
> >
> > I have experimented with the Linux HA configuration recommendation in
> > the Administrator's guide, and at this point, I would prefer to find a
> > different solution for load balancing and failover. I am hoping some of
> > you might be able to answer a few questions...
>
> Why not use the HA configuration they recommend? I have it up and
> running here and it seems to work well in the testing I've done thus far.
>
> > 1) Has anyone put PacketFence behind a Cisco IP SLB? Specifically, would
> > there be any issues configuring a virtual IP for both the FreeRadius
> > aspect, and the captive portal part on the registration VLAN? It seems
> > like it should work fine to me, but I could be missing something...
>
> I'm not sure how this works with packetfence, but with a pure freeradius
> environment, this causes issues with accounting since you can't
> guarantee that accounting packets will get to the same server every time.
>
> > 2) Are there any sizing/scaling guidelines for PacketFence? I haven't
> > been able to find any other than the minimums in the administrator's
> guide.
>
> I asked the same thing. A single CPU with 8G ram seems to be sufficient
> for 10k+ clients according to the rep I talked to.
>
> > 4) Does anyone have any suggestions on a way to implement a "let
> > everyone authorize" failover option? In our particular environment, if
> > PacketFence were to go down for some reason, my preference would be that
> > everyone automatically get put on the access vlan configured on the
> > switch. I was thinking of a separate FreeRadius server configured to
> > just authorize everyone set as a secondary or tertiary aaa server in the
> > various switches.
>
> What's your intention with PF? If you default to "let everyone
> authorize" in the event of a failure, it becomes a fairly simple task to
> gain network access by DoSing your PF server.
>
> That said, I *think* I saw some config options on a Cisco switch to
> configure this.
>
> > Regards,
> > --
> > Fletcher Haynes <[email protected] <mailto:[email protected]>>
>
> --
> ---------------------------
> Jason 'XenoPhage' Frisvold
> [email protected]
> ---------------------------
>
> "Any sufficiently advanced magic is indistinguishable from technology.\"
> - Niven's Inverse of Clarke's Third Law
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Fletcher Haynes <[email protected]>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
