On Jun 10, 2015, at 11:08 , Tracy Adams <[email protected]> wrote:
> Hi Louis, > > Thank you for your reply. > > Since writing this email I have found out more information and now I have > more questions :-) > > Now I know that our wireless controllers can have up to 17 RADIUS server > entries, so we have decided that we will be doing the load balancing by > staggering the order of the pf servers in the controllers. That works, but… It will not be as flexible as what you would get from configuring a FreeRADIUS load balancing proxy, which is what we do in PF. You could run that proxy in LVS if you wanted to. Rely on the controllers to do load balancing is a leap of faith. Controllers may not actually really load balance and they may not fail-back if you need to temporarily shut down one server. Just some things to keep in mind. > > All the pf servers will be VMWare guest, so we can scale the CPU and > memory are required. I will start with double the minimum specs. Good. VMWare does buy you flexibility which is very useful when you have a large installation. > > We are authenticating against AD, I don't have any control of the AD > infrastructure, but I was told it will be able to handle any load that pf > will place on it. The group that is responsible for it will make it so. They always say that. You’ll see… I’m kidding but there are limitations to the ntlm protocol that mean that is does not scale as well as LDAP or Kerberos which is what they are probably used to. Unfortunately, authenticating using PEAP does not work on AD using LDAP. > > We are using 802.1x for authentication, based on what I have observed in > my lab the clients keep authenticating all the time. I'm assuming that the > load is going to be constant and proportional to the number of client > devices. Currently anticipating 50K. So as the load increases I would be > spinning up more guests. > The clients should only authenticate when they connect or when the “reauth time” is up. Make sure to set that to some reasonable value so that they are not authenticating every 5 minutes or so. > Now I'm coming to my main question. Should I have a db running on each pf > instance or should I have one db server. The main advantage of having a db > on each pf is avoiding a single point of failure. If I have one db server > then the redundancy would be provided by VMware HA of this db server. This > is what my manager is leaning to. What am I giving up by having a > distributed db over a centralized db (keeping in mind that all the pf is > doing is authenticating 802.1x sessions)? I would have a separate DB cluster of two servers if you don’t already have one. If you have a DB on each server you have to figure out the clustering or they are to be separate installs with their own configuration (which opens a can of worms: if you register on one server, you won’t be registered on another). I like simple database setups. Two servers for redundancy. Use either MySQL clustering if you are familiar with it or just replicate the storage over DRBD. That works very well for some of our larger clients that have requirements comparable to yours. > > Hope I'm not asking stupid questions, > Not at all. These are interesting question to which the answer is (as to any interesting question): it depends. Regards, -- Louis Munro [email protected] :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
