We used to have two Cisco ACS servers behind Cisco ACE loadbalancer. The only issue we had was with Eduroam service. With Eduroam, we have to accept radius packets from wireless controllers in other organizations which we do not have control. It became a challenge to setup a radius stickiness method to work with all different kinds of wireless controllers. Originally we configured radius stickiness based on "calling-station-ID" on Cisco ACE but we found some wireless controllers do not send these attributes. We then changed to use source-ip based stickiness but we still found it not working with some controllers. In the end, we had to deploy separate radius servers(in active/standby mode) for Eduroam. I would say the radius stickiness behind loadbalancer should work fine if you have good control over all the NAS devices.
--- Dennis Xu Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 [email protected] www.uoguelph.ca/ccs ----- Original Message ----- From: "Neil M Johnson" <[email protected]> To: [email protected] Sent: Wednesday, November 27, 2013 11:48:26 AM Subject: Re: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between controller and radius servers Interesting. It does appear that there are issues cascading RADIATOR servers using <AuthBy EAPBALANCE> because the RADIUS "State" attribute used to track the EAP conversations gets mangled as the message progresses through the chain of servers. To make things work with the US NTLRS servers they graciously stopped using EAPBALANCE to load balance between our servers and moved to a traditional primary/secondary model, but obviously I can't ask everyone to do that :-). The RADIATOR folks recommended I try HASHBALANCE instead, but I like the extra assurance that EAP conversations don't get broken up. I will follow up on the RADIATOR list. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938 <tel:+13193840938> Fax: +1 319 335-2951 <tel:+13193352951> E-Mail: [email protected] Lync: [email protected] <sip:[email protected]> On 11/27/13 6:57 AM, "Jethro R Binks" <[email protected]> wrote: >Hi Neil, > >Serendipity. > >Don't know if you are still subscribed to the Radiator mailing list, but >I posted something yesterday that seems to tie up to you, please review >the thread: > > http://www.open.com.au/pipermail/radiator/2013-November/019540.html > >and let me know if you have any thoughts. > >Jethro. > > > >On Tue, 26 Nov 2013, Johnson, Neil M wrote: > >> We are running RADIATOR on Windows Boxes (long story). >> >> The boxes are configured with 6 "child" processes and 1 "parent" >> process. >> >> The "parent" process uses <AuthBy EAPBALANCE> to distribute the EAP >> authentications across the "child" processes. >> >> Using EAPBALANCE insures that each EAP conversation makes it to the >>same >> "child" process. >> >> It seems to work pretty well. We could probably handle more "child" >> processes on the dedicated boxes we use. >> >> The heavy lifting is done in the "child" processes. They share the same >> single configuration file. >> >> The only drawback is that, on windows, you have to manually restart all >> 7 processes when you change your RADIUS configuration. >> >> Here is what the Handler section for the "parent" process looks like: >> >> <Handler> >> <AuthBy EAPBALANCE> >> # Pass Client-Indentfier as a RADIUS attribute to child processes >> # So that the child process knows what NAS client the >>request came from >> # Useful for selecting a Handler based on NAD client >> >> AddToRequest OSC-Client-Identifier=%{Client:Identifier} >> FailureBackoffTime 15 >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 11812 >> AcctPort 11813 >> </Host> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 21812 >> AcctPort 21813 >> </Host> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 31812 >> AcctPort 31813 >> </Host> >> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 41812 >> AcctPort 41813 >> </Host> >> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 51812 >> AcctPort 51813 >> </Host> >> >> <Host 127.0.0.1> >> Secret Secret >> AuthPort 61812 >> AcctPort 61813 >> </Host> >> >> </AuthBy> >> </Handler> >> >> >> >> >> -- >> Neil Johnson >> Network Engineer >> The University of Iowa >> Phone: +1 319 384-0938<tel:+13193840938> >> Fax: +1 319 335-2951<tel:+13193352951> >> E-Mail: [email protected]<mailto:[email protected]> >> Lync: [email protected]<sip:[email protected]> >> >> >> From: Kees Pronk <[email protected]<mailto:[email protected]>> >> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv >><[email protected]<mailto:[email protected] >>.EDU>> >> Date: Friday, November 22, 2013 1:46 AM >> To: >>"[email protected]<mailto:[email protected] >>.EDU>" >><[email protected]<mailto:[email protected] >>.EDU>> >> Subject: [WIRELESS-LAN] loadbalacing WPA2 802.1X traffic between >>controller and radius servers >> >> Hello, >> >> Any WLAN colleagues are using a loadbalacer to scale-out the auth (EAP) >>traffic? >> Currently we use Radiator with frontend and multiple backend processes >>which works fine. >> Wondering if loadbalancers can keep track of the state of an EAP >>authentication >> At peek times we have 12K concurrent Wi-Fi devices online. >> >> Best regards, Kees >> >> >> >> >> >>------------------------------------------------------------------------- >>-- >> Op deze e-mail zijn de volgende voorwaarden van toepassing: >> The following conditions apply to this e-mail: >> http://emaildisclaimer.avans.nl >> >>------------------------------------------------------------------------- >>--********** Participation and subscription information for this >>EDUCAUSE Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> ********** >> Participation and subscription information for this EDUCAUSE >>Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> > >. . . . . . . . . . . . . . . . . . . . . . . . . >Jethro R Binks, Network Manager, >Information Services Directorate, University Of Strathclyde, Glasgow, UK > >The University of Strathclyde is a charitable body, registered in >Scotland, number SC015263. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
