Main Nav


We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is:

Citrix Netscalars 9000s
Aruba M3 controllers
Radiator radius server (currently 3) on a Windows platform.

We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.  

Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated.

Thanks


Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihulko@uwo.ca <mailto:mihulko@uwo.ca>





********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
western-logo-sm2.gif13.78 KB

Comments

Message from a.cudbardb@freeradius.org

On 15 May 2012, at 20:05, Michael Hulko wrote: > > We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: > > Citrix Netscalars 9000s > Aruba M3 controllers > Radiator radius server (currently 3) on a Windows platform. > > We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. > > Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Um quick check. All the RADIUS packets for an EAP session are going to the same RADIUS server right? AFAIK Radiator doesn't do EAP session state synchronisation, so you have to ensure the entire EAP exchange goes to a single backend server. -Arran ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from coll@isc.upenn.edu

We use FreeRadius and we manually load balance.  We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs.  We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them).  What we decided to do was run each main controller to have a different primary RADIUS server.  We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring).  It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok.  We were also running scripts on our controllers to make sure we didn’t get server timeouts as well.  Hope this helps – good luck!

 

Colleen Szymanik

University of Pennsylvania

 

Michael,

Have you inquired about the built-in load balancing features of RADIATOR?
You might not need an extra load balancer...
Specifically one of these clauses:
 <AuthBy ROUNDROBIN>, <AuthBy VOLUMEBALANCE>, <AuthBy
LOADBALANCE>, <AuthBy HASHBALANCE>, <AuthBy EAPBALANCE>.



Philippe


Philippe Hanset
Univ. of TN, Knoxville


Philippe...

Thanks for the response...

Yes..we are considering all options including the Radiator load-balancing features and suggestions from other listserv members to achieve our goal.
Running an external load-balance service was just one of the options we were exploring to solve our authentication challenges/opportunities.  

respectfully,

Michael Hulko

On 2012-05-16, at 12:56 PM, Hanset, Philippe C wrote:

Michael,

Have you inquired about the built-in load balancing features of RADIATOR?
You might not need an extra load balancer...
Specifically one of these clauses:
 <AuthBy ROUNDROBIN>, <AuthBy VOLUMEBALANCE>, <AuthBy
LOADBALANCE>, <AuthBy HASHBALANCE>, <AuthBy EAPBALANCE>.



Philippe


Philippe Hanset
Univ. of TN, Knoxville


Colleen...

Thanks for your response..

We have included your suggestion as part of a solution matrix to investigate.

respectfully,

Michael


On 2012-05-16, at 8:54 AM, Colleen Szymanik wrote:

We use FreeRadius and we manually load balance.  We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs.  We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them).  What we decided to do was run each main controller to have a different primary RADIUS server.  We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring).  It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok.  We were also running scripts on our controllers to make sure we didn’t get server timeouts as well.  Hope this helps – good luck!
 
Colleen Szymanik
University of Pennsylvania
 
Arran

Thanks for your response..

Our current testing is to a single radiator server, a single instance of a Radius farm in the Netscalar with "stickiness" to the client session.  We have tested terminating the EAP on both the controller and directly to the server.  We have captured traffic at all points in the path, and it appears in both cases, packets between the controller and the load-balancer is being mis-interpreted by the wireless controller.  We have submitted all captures to the Aruba SE to get something from them.  The load-balancer appears to pass all the packets to and from the controller to the radius server.

respectfully,

Michael


On 2012-05-16, at 6:33 AM, Arran Cudbard-Bell wrote:

On 15 May 2012, at 20:05, Michael Hulko wrote:


We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is:

Citrix Netscalars 9000s
Aruba M3 controllers
Radiator radius server (currently 3) on a Windows platform.

We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.  

Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated.

Um quick check. All the RADIUS packets for an EAP session are going to the same RADIUS server right?

AFAIK Radiator doesn't do EAP session state synchronisation, so you have to ensure the entire EAP exchange goes to a single backend server.

-Arran
**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihulko@uwo.ca <mailto:mihulko@uwo.ca>





********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

So to continue the thought...

How are you managing the server certificates.  Does FreeRadius require a certificate per server instance or can you use a single server certificate for all instances?  I can see where having the number of servers providing authentication could give users a challenge where they roam between controllers and have to accept another certificate until they have accepted them all..

your thoughts...

Thanks again.
MH


On 2012-05-16, at 8:54 AM, Colleen Szymanik wrote:

We use FreeRadius and we manually load balance.  We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs.  We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them).  What we decided to do was run each main controller to have a different primary RADIUS server.  We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring).  It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok.  We were also running scripts on our controllers to make sure we didn’t get server timeouts as well.  Hope this helps – good luck!
 
Colleen Szymanik
University of Pennsylvania
 
Message from zm23@columbia.edu

Hi,

 

We are also using FreeRADIUS.  We have two production servers and we set the order on the controllers.  We are using the same cert on both servers. 

 

Freeradius also has a dispatcher/load balancer module but I have not tried it yet.

 

--

Zahid Mehmood

Columbia University Information Technology

 

 

 

Message from coll@isc.upenn.edu

We use the same certificate on all.  Much easier!

Message from bosborne@liberty.edu

We at Liberty University are rolling out our 802.1X RADIUS environment for Aruba wireless and Cisco wired using Aruba's ClearPass Policy Manager, a FreeRADIUS based product. We have 2 RADIUS servers to handle our projected load. We then have 2 RADIUS proxy servers to load balance to the nodes and provide proxy redundancy. We will manually balance the proxies by having the wireless controllers use Proxy1 as primary with Fail through and the switches use Proxy2 as primary. Aruba's ClearPass clustering keeps the configuration in sync. We can also add more RADIUS servers if our client load increases. Any new server would automatically get its configuration from the cluster publisher. Bruce Osborne Network Engineer IT Network Services   (434) 592-4229   LIBERTY UNIVERSITY Training Champions for Christ since 1971
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.