Re: load balancing radius with F5 devices

2013-10-09 Thread Fajar A. Nugraha
On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote:

 While we have 900 switches doing mac and 802.1x based auth, we can have
 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS
 clients. Looking at the back end server log files, it does look as if, in
 general,  all wireless RADIUS auths head for the same back end server.

 I was wondering if there's a way off having a bit more granularity in
 terms of how the f5 load balances incoming RADIUS requests.


Have you asked F5?

At the very least, common load balancers (e.g. keepalived on linux, a
frontend for ipvs) should have the option of distributing traffic to
backends based on source IP. Since you say you have 3 RAS clients, it
should work somewhat.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: load balancing radius with F5 devices

2013-10-09 Thread Michael Schwartzkopff
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz:
 Hi,
 
 Is anyone out there load balancing RADIUS with an F5 load balancer? We're
 doing it here, but I can't help thinking that the actual load balancing
 algorithm need some tweaking.
 
 As far as I'm aware ( systems section support the F5 boxes)
 
 1). We're using round robin to spread the load over 2 back end radius
 servers. 2). There is some general sticky persistence so that once a RAS
 device starts talking to a particular back end server it continues to talk
 to that server for a predetermined length of time ( might be an hour, not
 sure). This ensures that an eap dialogue will always talk to the same back
 end server for the duration of the stuck time. Not sure what happens when
 you get to the end of the time interval though.
 
 According to the F5 statistics, overall radius traffic seems to be shared
 evenly over the 2 back end servers.  However, our most heavily loaded RAS
 client is our wireless network. While we have 900 switches doing mac and
 802.1x based auth, we can have 6000+ users on our wireless network all
 authenticating to RADIUS via 3 RAS clients. Looking at the back end server
 log files, it does look as if, in general,  all wireless RADIUS auths head
 for the same back end server.
 
 I was wondering if there's a way off having a bit more granularity in terms
 of how the f5 load balances incoming RADIUS requests.


You would need to use application layer load balancing on the BigIPs. But I 
don't think that you can configure this on the BigIPs. The RADIUS protocol is 
stateless, so there is no criteria in the application that a load balancer 
could use to balance inside the application.

Greetings,

-- 
Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: load balancing radius with F5 devices

2013-10-09 Thread Olivier Beytrison
On 09.10.2013 10:41, Alex Sharaz wrote:
 Hi,
 
 Is anyone out there load balancing RADIUS with an F5 load balancer? We're 
 doing it here, but I can't help thinking that the actual load balancing 
 algorithm need some tweaking. 

I have f5 loadbalancers but atm I don't use them for our RADIUS trafic

 As far as I'm aware ( systems section support the F5 boxes)
 
 1). We're using round robin to spread the load over 2 back end radius servers.
 2). There is some general sticky persistence so that once a RAS device 
 starts talking to a particular back end server it continues to talk to that 
 server for a predetermined length of time ( might be an hour, not sure). This 
 ensures that an eap dialogue will always talk to the same back end server for 
 the duration of the stuck time. Not sure what happens when you get to the 
 end of the time interval though.

Point 2 should be setup carefully. I recommend using the iApp to deploy
your radius through the f5 [1] (they use Freeradius as an example)

 I was wondering if there's a way off having a bit more granularity in terms 
 of how the f5 load balances incoming RADIUS requests.

You can play with an iRule to statically assign one of your two pool
member to your RAS servers. you can even decode the radius packet and
base your load-balancing decision based on radius attributes [2]

As you said, the most important thing is to ensure that a Client/NAS
always talk to the same pool member, otherwise EAP won't work.

Olivier

[1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf
[2]
https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y
-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: load balancing radius with F5 devices

2013-10-09 Thread Alex Sharaz

On 9 Oct 2013, at 10:16, Fajar A. Nugraha l...@fajar.net wrote:

 On Wed, Oct 9, 2013 at 3:41 PM, Alex Sharaz alex.sha...@york.ac.uk wrote:
 While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ 
 users on our wireless network all authenticating to RADIUS via 3 RAS clients. 
 Looking at the back end server log files, it does look as if, in general,  
 all wireless RADIUS auths head for the same back end server.
 
 I was wondering if there's a way off having a bit more granularity in terms 
 of how the f5 load balances incoming RADIUS requests.
 
 
 Have you asked F5?
 
 At the very least, common load balancers (e.g. keepalived on linux, a 
 frontend for ipvs) should have the option of distributing traffic to backends 
 based on source IP. Since you say you have 3 RAS clients, it should work 
 somewhat.
 
You had a nose round the f5 site and subscribed to some of the communities. 
Shall we say that the response wasn't that great!
A

 -- 
 Fajar
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: load balancing radius with F5 devices

2013-10-09 Thread Olivier Beytrison
On 09.10.2013 11:25, Olivier Beytrison wrote:
 On 09.10.2013 10:41, Alex Sharaz wrote: 
 I was wondering if there's a way off having a bit more granularity in terms 
 of how the f5 load balances incoming RADIUS requests.

Another nice thing to do is to do persistence based on radius AVP
https://devcentral.f5.com/questions/radius-load-bnalancing-persistence

So you can load balance incoming requests based on any standard AVP
(User-Name, NAS-IP-Address, Calling-Station-Id )

Olivier
-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: load balancing radius with F5 devices

2013-10-09 Thread Vincent, Fabien
Hi,

Just to give some infos if I can help (this mailing has helped me a lot !) 

I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a 
shared IP (not activated in VLANs used to communicate between the 2 DC to avoid 
IP conflits, a much simple config for NAS - only one IP address for server).

Everything works fine with the following config :

The Virtual Server ( IP is A.B.C.D has it's public for external DC ...)

ltm virtual /Common/VS-RADIUS-AUTH {
destination /Common/A.B.C.D:1812
ip-protocol udp
mask 255.255.255.255
pool /Common/POOL-RADIUS-AUTH
profiles {
/Common/radiusLB { }
/Common/udp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
[...]
}
vlans-enabled
}

The pool used :

ltm pool /Common/POOL-RADIUS-AUTH {
members {
/Common/10.10.6.7:1812 {
address 10.10.6.7
}
/Common/10.20.6.3:1812 {
address 10.20.6.3
}
}
monitor /Common/Radius-Auth
}

The monitor : 

ltm monitor radius /Common/Radius-Auth {
debug no
defaults-from /Common/radius
destination *:*
interval 30
nas-ip-address 10.16.81.11
password Monitor
secret **
time-until-up 0
timeout 31
username radius@domain
}

Profile radiusLB is the following :

ltm profile radius radiusLB {
clients none
persist-avp none
}

And one other not used but available in default config.

ltm profile radius radiusLB-subscriber-aware {
defaults-from radiusLB
subscriber-aware enabled
}


If I look at pool statistics, each servers has equivalent volume of requests 
(48.1k against 48.2k).

You could play with Priority Group depending location or failover architecture 
of Radius if you want 

Fabien VINCENT
Ingénieur Réseaux  Sécurité / ASSR Produits
Niveau 3 - Infrastructure  Produits
fabien.vinc...@coreye.fr



De : freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org 
[mailto:freeradius-users-bounces+fabien.vincent=coreye...@lists.freeradius.org] 
De la part de Michael Schwartzkopff
Envoyé : mercredi 9 octobre 2013 11:17
À : FreeRadius users mailing list
Objet : Re: load balancing radius with F5 devices

Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz:
 Hi,
 
 Is anyone out there load balancing RADIUS with an F5 load balancer? We're
 doing it here, but I can't help thinking that the actual load balancing
 algorithm need some tweaking.
 
 As far as I'm aware ( systems section support the F5 boxes)
 
 1). We're using round robin to spread the load over 2 back end radius
 servers. 2). There is some general sticky persistence so that once a RAS
 device starts talking to a particular back end server it continues to talk
 to that server for a predetermined length of time ( might be an hour, not
 sure). This ensures that an eap dialogue will always talk to the same back
 end server for the duration of the stuck time. Not sure what happens when
 you get to the end of the time interval though.
 
 According to the F5 statistics, overall radius traffic seems to be shared
 evenly over the 2 back end servers. However, our most heavily loaded RAS
 client is our wireless network. While we have 900 switches doing mac and
 802.1x based auth, we can have 6000+ users on our wireless network all
 authenticating to RADIUS via 3 RAS clients. Looking at the back end server
 log files, it does look as if, in general, all wireless RADIUS auths head
 for the same back end server.
 
 I was wondering if there's a way off having a bit more granularity in terms
 of how the f5 load balances incoming RADIUS requests.
 
 
You would need to use application layer load balancing on the BigIPs. But I 
don't think that you can configure this on the BigIPs. The RADIUS protocol is 
stateless, so there is no criteria in the application that a load balancer 
could use to balance inside the application.
 
Greetings,
 
-- 
Mit freundlichen Grüßen,
 
Michael Schwartzkopff
 
-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: load balancing radius with F5 devices

2013-10-09 Thread Alex Sharaz
Many thanks for this Olivier, much appreciated
Rgds
A
On 9 Oct 2013, at 11:07, Olivier Beytrison oliv...@heliosnet.org wrote:

 On 09.10.2013 11:25, Olivier Beytrison wrote:
 On 09.10.2013 10:41, Alex Sharaz wrote: 
 I was wondering if there's a way off having a bit more granularity in terms 
 of how the f5 load balances incoming RADIUS requests.
 
 Another nice thing to do is to do persistence based on radius AVP
 https://devcentral.f5.com/questions/radius-load-bnalancing-persistence
 
 So you can load balance incoming requests based on any standard AVP
 (User-Name, NAS-IP-Address, Calling-Station-Id )
 
 Olivier
 -- 
 
 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html