Hello, First I'll say I'm just in the initial phase of spinning up a test instance of packetfence so please excuse my ignorance.
>From the docs it seems like the more common deployment scenarios are onprem, but I'd like to know how the following system design would work. We have multiple office sites, but the vast majority of our hosts are in EC2. Currently we're using MS NPS for radius auth but it doesn't cluster so we have to manually export/import configs, it doesn't have a web ui, and I can't natively send accounting info as syslog to Palo Alto for userid. Also we're more of a Linux shop and have a full config-management and deployment system for Linux hosts. My initial design idea was to: - launch 2 instances in our EC2/VPC region, each in a different AZ - use a highly available RDS DB backend - the instances might be behind an AWS load balancer (not sure on this due to Juniper switches not accepting fqdn in radius server statements) - the instances would all be assigned IP addresses via DHCP due to EC2 environment Topology: Onprem Network Devices -> (maybe/optionally) EC2 Load balancer -> packetfence instances -> RDS DB backend. There is documentation on a layer 3 HA implementation but the documentation is very focused on local DB's rather than just the application so it's difficult to understand the implications of split-brain if we're using an external DB. Because these are EC2 instances there are a few things made a bit more difficult such as not getting the host IP address until the instance is already provisioned but we should be able to handle this in config management. Also there is no virtual ip capability. I'm wondering does my deployment design result in: - active-active packetfence instances, ie. can they actively share the same external db? - ability to launch packetfence instances at will (configuration management would handle config files) | replace packetfence instances on the fly without concern of db corruption or service interruption - Use any of the instances web UI for configuration changes Also this issue https://github.com/inverse-inc/packetfence/issues/6396 perhaps points out there are some shortcomings and potentially a lack of support in external db deployments. We would want some level of commercial support for this system so perhaps we're out of luck until this issue is addressed? Thanks for reading, Steve
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
