Interesting. It does appear that there are issues cascading RADIATOR servers using <AuthBy EAPBALANCE> because the RADIUS "State" attribute used to track the EAP conversations gets mangled as the message progresses through the chain of servers.
To make things work with the US NTLRS servers they graciously stopped using EAPBALANCE to load balance between our servers and moved to a traditional primary/secondary model, but obviously I can't ask everyone to do that :-). The RADIATOR folks recommended I try HASHBALANCE instead, but I like the extra assurance that EAP conversations don't get broken up. I will follow up on the RADIATOR list. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938 <tel:+13193840938> Fax: +1 319 335-2951 <tel:+13193352951> E-Mail: neil-john...@uiowa.edu Lync: neil-john...@uiowa.edu <sip:neil-john...@uiowa.edu> On 11/27/13 6:57 AM, "Jethro R Binks" <jethro.bi...@strath.ac.uk> wrote: >Hi Neil, > >Serendipity. > >Don't know if you are still subscribed to the Radiator mailing list, but >I posted something yesterday that seems to tie up to you, please review >the thread: > > http://www.open.com.au/pipermail/radiator/2013-November/019540.html > >and let me know if you have any thoughts. > >Jethro. > > > >On Tue, 26 Nov 2013, Johnson, Neil M wrote: > >> We are running RADIATOR on Windows Boxes (long story). >> >> The boxes are configured with 6 "child" processes and 1 "parent" >> process. >> >> The "parent" process uses <AuthBy EAPBALANCE> to distribute the EAP >> authentications across the "child" processes. >> >> Using EAPBALANCE insures that each EAP conversation makes it to the >>same >> "child" process. >> >> It seems to work pretty well. We could probably handle more "child" >> processes on the dedicated boxes we use. >> >> The heavy lifting is done in the "child" processes. They share the same >> single configuration file. >> >> The only drawback is that, on windows, you have to manually restart all >> 7 processes when you change your RADIUS configuration. >> >> Here is what the Handler section for the "parent" process looks like: >> >> <Handler> >> <AuthBy EAPBALANCE> >> # Pass Client-Indentfier as a RADIUS attribute to child processes >> # So that the child process knows what NAS client the >>request came from >> # Useful for selecting a Handler based on NAD client >> >> AddToRequest OSC-Client-Identifier=%{Client:Identifier} >> FailureBackoffTime 15 >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 11812 >> AcctPort 11813 >> </Host> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 21812 >> AcctPort 21813 >> </Host> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 31812 >> AcctPort 31813 >> </Host> >> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 41812 >> AcctPort 41813 >> </Host> >> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 51812 >> AcctPort 51813 >> </Host> >> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 61812 >> AcctPort 61813 >> </Host> >> >> </AuthBy> >> </Handler> >> >> >> >> >> -- >> Neil Johnson >> Network Engineer >> The University of Iowa >> Phone: +1 319 384-0938<tel:+13193840938> >> Fax: +1 319 335-2951<tel:+13193352951> >> E-Mail: neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu> >> Lync: neil-john...@uiowa.edu<sip:neil-john...@uiowa.edu> >> >> >> From: Kees Pronk <cl.pr...@avans.nl<mailto:cl.pr...@avans.nl>> >> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv >><WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE >>.EDU>> >> Date: Friday, November 22, 2013 1:46 AM >> To: >>"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE >>.EDU>" >><WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE >>.EDU>> >> Subject: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between >>controller and radius servers >> >> Hello, >> >> Any WLAN colleagues are using a loadbalacer to scale-out the auth (EAP) >>traffic? >> Currently we use Radiator with frontend and multiple backend processes >>which works fine. >> Wondering if loadbalancers can keep track of the state of an EAP >>authentication >> At peek times we have 12K concurrent Wi-Fi devices online. >> >> Best regards, Kees >> >> >> >> >> >>------------------------------------------------------------------------- >>-- >> Op deze e-mail zijn de volgende voorwaarden van toepassing: >> The following conditions apply to this e-mail: >> http://emaildisclaimer.avans.nl >> >>------------------------------------------------------------------------- >>--********** Participation and subscription information for this >>EDUCAUSE Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE >>Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> > >. . . . . . . . . . . . . . . . . . . . . . . . . >Jethro R Binks, Network Manager, >Information Services Directorate, University Of Strathclyde, Glasgow, UK > >The University of Strathclyde is a charitable body, registered in >Scotland, number SC015263. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
