Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
On 15 May 2012, at 20:05, Michael Hulko wrote: We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Um quick check. All the RADIUS packets for an EAP session are going to the same RADIUS server right? AFAIK Radiator doesn't do EAP session state synchronisation, so you have to ensure the entire EAP exchange goes to a single backend server. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Radius Load-balancing and Aruba
We use FreeRadius and we manually load balance. We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs. We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them). What we decided to do was run each main controller to have a different primary RADIUS server. We use EAP-TTLS(PAP) - it's single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring). It was easier for us to do this manually - one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok. We were also running scripts on our controllers to make sure we didn't get server timeouts as well. Hope this helps - good luck! Colleen Szymanik University of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Tuesday, May 15, 2012 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Radius Load-balancing and Aruba We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks [cid:image001.gif@01CD3341.6C9C5D10] Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. inline: image001.gif
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
Michael, Have you inquired about the built-in load balancing features of RADIATOR? You might not need an extra load balancer... Specifically one of these clauses: AuthBy ROUNDROBIN, AuthBy VOLUMEBALANCE, AuthBy LOADBALANCE, AuthBy HASHBALANCE, AuthBy EAPBALANCE. Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.orghttp://www.eduroamus.org On May 15, 2012, at 2:05 PM, Michael Hulko wrote: We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks western-logo-sm2.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
Philippe...Thanks for the response...Yes..we are considering all options including the Radiator load-balancing features and suggestions from other listserv members to achieve our goal.Running an external load-balance service was just one of the options we were exploring to solve our authentication challenges/opportunities. respectfully,Michael HulkoOn 2012-05-16, at 12:56 PM, Hanset, Philippe C wrote: Michael, Have you inquired about the built-in load balancing features of RADIATOR? You might not need an extra load balancer... Specifically oneof these clauses: AuthBy ROUNDROBIN, AuthBy VOLUMEBALANCE, AuthBy LOADBALANCE, AuthBy HASHBALANCE, AuthBy EAPBALANCE. Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org On May 15, 2012, at 2:05 PM, Michael Hulko wrote: We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks western-logo-sm2.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
Colleen...Thanks for your response..We have included your suggestion as part of a solution matrix to investigate.respectfully,MichaelOn 2012-05-16, at 8:54 AM, Colleen Szymanik wrote:We use FreeRadius and we manually load balance. We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs. We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them). What we decided to do was run each main controller to have a different primary RADIUS server. We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring). It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok. We were also running scripts on our controllers to make sure we didn’t get server timeouts as well. Hope this helps – good luck!Colleen SzymanikUniversity of PennsylvaniaFrom:The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf OfMichael HulkoSent:Tuesday, May 15, 2012 2:06 PMTo:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject:[WIRELESS-LAN] Radius Load-balancing and ArubaWe are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is:Citrix Netscalars 9000sAruba M3 controllersRadiator radius server (currently 3) on a Windows platform.We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated.Thanksimage001.gifMichael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail:mihu...@uwo.camailto:mihu...@uwo.ca** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/.** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
We use the same certificate on all. Much easier! On May 16, 2012, at 3:03 PM, Michael Hulko mihu...@uwo.camailto:mihu...@uwo.ca wrote: So to continue the thought... How are you managing the server certificates. Does FreeRadius require a certificate per server instance or can you use a single server certificate for all instances? I can see where having the number of servers providing authentication could give users a challenge where they roam between controllers and have to accept another certificate until they have accepted them all.. your thoughts... Thanks again. MH On 2012-05-16, at 8:54 AM, Colleen Szymanik wrote: We use FreeRadius and we manually load balance. We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs. We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them). What we decided to do was run each main controller to have a different primary RADIUS server. We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring). It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok. We were also running scripts on our controllers to make sure we didn’t get server timeouts as well. Hope this helps – good luck! Colleen Szymanik University of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Tuesday, May 15, 2012 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Radius Load-balancing and Aruba We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks image001.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. western-logo-sm2.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. inline: western-logo-sm2.gif
