Re: load balancing radius with F5 devices
Many thanks for this Olivier, much appreciated Rgds A On 9 Oct 2013, at 11:07, Olivier Beytrison wrote: > On 09.10.2013 11:25, Olivier Beytrison wrote: >> On 09.10.2013 10:41, Alex Sharaz wrote: >>> I was wondering if there's a way off having a bit more granularity in terms >>> of how the f5 load balances incoming RADIUS requests. > > Another nice thing to do is to do persistence based on radius AVP > https://devcentral.f5.com/questions/radius-load-bnalancing-persistence > > So you can load balance incoming requests based on any standard AVP > (User-Name, NAS-IP-Address, Calling-Station-Id ) > > Olivier > -- > > Olivier Beytrison > Network & Security Engineer, HES-SO Fribourg > Mail: oliv...@heliosnet.org > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing radius with F5 devices
Hi, Just to give some infos if I can help (this mailing has helped me a lot !) I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a shared IP (not activated in VLANs used to communicate between the 2 DC to avoid IP conflits, a much simple config for NAS - only one IP address for server). Everything works fine with the following config : The Virtual Server ( IP is A.B.C.D has it's public for external DC ...) ltm virtual /Common/VS-RADIUS-AUTH { destination /Common/A.B.C.D:1812 ip-protocol udp mask 255.255.255.255 pool /Common/POOL-RADIUS-AUTH profiles { /Common/radiusLB { } /Common/udp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans { [...] } vlans-enabled } The pool used : ltm pool /Common/POOL-RADIUS-AUTH { members { /Common/10.10.6.7:1812 { address 10.10.6.7 } /Common/10.20.6.3:1812 { address 10.20.6.3 } } monitor /Common/Radius-Auth } The monitor : ltm monitor radius /Common/Radius-Auth { debug no defaults-from /Common/radius destination *:* interval 30 nas-ip-address 10.16.81.11 password Monitor secret ** time-until-up 0 timeout 31 username radius@domain } Profile radiusLB is the following : ltm profile radius radiusLB { clients none persist-avp none } And one other not used but available in default config. ltm profile radius radiusLB-subscriber-aware { defaults-from radiusLB subscriber-aware enabled } If I look at pool statistics, each servers has equivalent volume of requests (48.1k against 48.2k). You could play with Priority Group depending location or failover architecture of Radius if you want Fabien VINCENT Ingénieur Réseaux & Sécurité / ASSR Produits Niveau 3 - Infrastructure & Produits fabien.vinc...@coreye.fr De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org] De la part de Michael Schwartzkopff Envoyé : mercredi 9 octobre 2013 11:17 À : FreeRadius users mailing list Objet : Re: load balancing radius with F5 devices Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: > Hi, > > Is anyone out there load balancing RADIUS with an F5 load balancer? We're > doing it here, but I can't help thinking that the actual load balancing > algorithm need some tweaking. > > As far as I'm aware ( systems section support the F5 boxes) > > 1). We're using round robin to spread the load over 2 back end radius > servers. 2). There is some "general" sticky persistence so that once a RAS > device starts talking to a particular back end server it continues to talk > to that server for a predetermined length of time ( might be an hour, not > sure). This ensures that an eap dialogue will always talk to the same back > end server for the duration of the "stuck" time. Not sure what happens when > you get to the end of the time interval though. > > According to the F5 statistics, overall radius traffic seems to be shared > evenly over the 2 back end servers. However, our most heavily loaded RAS > client is our wireless network. While we have 900 switches doing mac and > 802.1x based auth, we can have 6000+ users on our wireless network all > authenticating to RADIUS via 3 RAS clients. Looking at the back end server > log files, it does look as if, in general, all wireless RADIUS auths head > for the same back end server. > > I was wondering if there's a way off having a bit more granularity in terms > of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 11:25, Olivier Beytrison wrote: > On 09.10.2013 10:41, Alex Sharaz wrote: >> I was wondering if there's a way off having a bit more granularity in terms >> of how the f5 load balances incoming RADIUS requests. Another nice thing to do is to do persistence based on radius AVP https://devcentral.f5.com/questions/radius-load-bnalancing-persistence So you can load balance incoming requests based on any standard AVP (User-Name, NAS-IP-Address, Calling-Station-Id ) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 9 Oct 2013, at 10:16, Fajar A. Nugraha wrote: > On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz wrote: > While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ > users on our wireless network all authenticating to RADIUS via 3 RAS clients. > Looking at the back end server log files, it does look as if, in general, > all wireless RADIUS auths head for the same back end server. > > I was wondering if there's a way off having a bit more granularity in terms > of how the f5 load balances incoming RADIUS requests. > > > Have you asked F5? > > At the very least, common load balancers (e.g. "keepalived" on linux, a > frontend for ipvs) should have the option of distributing traffic to backends > based on source IP. Since you say you have 3 RAS clients, it should work > somewhat. > You had a nose round the f5 site and subscribed to some of the communities. Shall we say that the response wasn't that great! A > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On 09.10.2013 10:41, Alex Sharaz wrote: > Hi, > > Is anyone out there load balancing RADIUS with an F5 load balancer? We're > doing it here, but I can't help thinking that the actual load balancing > algorithm need some tweaking. I have f5 loadbalancers but atm I don't use them for our RADIUS trafic > As far as I'm aware ( systems section support the F5 boxes) > > 1). We're using round robin to spread the load over 2 back end radius servers. > 2). There is some "general" sticky persistence so that once a RAS device > starts talking to a particular back end server it continues to talk to that > server for a predetermined length of time ( might be an hour, not sure). This > ensures that an eap dialogue will always talk to the same back end server for > the duration of the "stuck" time. Not sure what happens when you get to the > end of the time interval though. Point 2 should be setup carefully. I recommend using the iApp to deploy your radius through the f5 [1] (they use Freeradius as an example) > I was wondering if there's a way off having a bit more granularity in terms > of how the f5 load balances incoming RADIUS requests. You can play with an iRule to statically assign one of your two pool member to your RAS servers. you can even decode the radius packet and base your load-balancing decision based on radius attributes [2] As you said, the most important thing is to ensure that a Client/NAS always talk to the same pool member, otherwise EAP won't work. Olivier [1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf [2] https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: > Hi, > > Is anyone out there load balancing RADIUS with an F5 load balancer? We're > doing it here, but I can't help thinking that the actual load balancing > algorithm need some tweaking. > > As far as I'm aware ( systems section support the F5 boxes) > > 1). We're using round robin to spread the load over 2 back end radius > servers. 2). There is some "general" sticky persistence so that once a RAS > device starts talking to a particular back end server it continues to talk > to that server for a predetermined length of time ( might be an hour, not > sure). This ensures that an eap dialogue will always talk to the same back > end server for the duration of the "stuck" time. Not sure what happens when > you get to the end of the time interval though. > > According to the F5 statistics, overall radius traffic seems to be shared > evenly over the 2 back end servers. However, our most heavily loaded RAS > client is our wireless network. While we have 900 switches doing mac and > 802.1x based auth, we can have 6000+ users on our wireless network all > authenticating to RADIUS via 3 RAS clients. Looking at the back end server > log files, it does look as if, in general, all wireless RADIUS auths head > for the same back end server. > > I was wondering if there's a way off having a bit more granularity in terms > of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing radius with F5 devices
On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz wrote: > While we have 900 switches doing mac and 802.1x based auth, we can have > 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS > clients. Looking at the back end server log files, it does look as if, in > general, all wireless RADIUS auths head for the same back end server. > > I was wondering if there's a way off having a bit more granularity in > terms of how the f5 load balances incoming RADIUS requests. > > Have you asked F5? At the very least, common load balancers (e.g. "keepalived" on linux, a frontend for ipvs) should have the option of distributing traffic to backends based on source IP. Since you say you have 3 RAS clients, it should work somewhat. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing radius with F5 devices
Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some "general" sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the "stuck" time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. Rgds Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html