On 06/19/2014 11:26 PM, Barry Ard wrote: > I have been asked to investigate the possibility of using our F5 load > balancers in our wireless infrastructure. We currently have 2 large servers > and load balance using the EAPBalance handler. We currently allow the PEAP > and TTLS EAP types.
I'm currently running Radiator behind a load balancer (not F5) and it's working well. The key issues for me were: * make sure vip port consistently maps each client IP to the same real server, to avoid breaking EAP conversations. [there might be other ways to do this with better granularity, especially if your load balancer comprehends EAP, but I took the path of maximum safety. We have enough distinct wireless controllers that mapping each entire controller to one RADIUS server at a time is fine.] * Important exception: make sure this mapping is automatically adjusted whenever a real server port goes down _or_ comes back up! [I spent a while testing different ways to configure the load balancer behavior until I found one that behaved well in this regard. Not F5 so I can't help with details, just make sure you do plenty of testing.] * use actual RADIUS requests for the health check, and make sure you configure Radiator to answer them in such a way that any failure mode which would prevent real wireless auths from working will also cause the health check to fail. [e.g. if you depend on a back-end connection to Active Directory, as I do, make sure your health check exercises that.] > Our goals are: > 1. With multiple servers behind the load balancers we will be able to > remove one from use for maintenance without impacting service. Yes! > 2. We also hope that we may be able to have a single SSL cert so that when > the next HeartBleed like event happens updating certs on 2 servers won't > have our user base freaking out. Yes, but this shouldn't require load balancing; you can always install the same SSL cert and key on as many Radiator boxes as you want. A wireless supplicant only cares about the name (Subject CN) on the certificate; it never even knows the DNS hostname or IP address of the RADIUS server, so (unlike with a webserver) it doesn't matter if the DNS hostname matches the cert or not. HTH, David _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
