failover and load balancing

Borislav Dimitrov b.dimitrov at ngsystems.net
Fri Apr 17 22:30:51 CEST 2009 

Hi,

Kalik's advices are very good - just to add some words:
Certainly such a failover is achieved on the client side. NAS's have  
options to do that. On Cisco VoIP routers e.g.you can do it with the  
RADIUS groups. You can have broadcast groups to achieve redundancy -  
send the requests to multiple RADIUS servers and normal failover  
groups. There are examples in the FreeRADIUS docs but check the NASs  
manuals too. You can usually configure also parameters like timeouts,  
retransmits etc

On 17.04.2009, at 22:44, "Ivan Kalik" <tnt at kalik.net> wrote:

>> Anyway, I've been wondering how many servers are required to have a  
>> proper
> (i.e. no single point of failure) on the freeradius side of things.
>
> Two. One active and other as "hot" standby.
>
>> I know that I can have one freeradius server proxying requests to any
> number of authorization and/or accounting servers - great.
>
> But you want to avoid single point of failure - so that is out.
>
>> But, what if I don't want to proxy and only want two freeradius  
>> servers
> that do auth, and two separate servers for accounting?
>
> No need for extra accounting servers. Each server can do both  
> authentication
> and handle accounting failover.
>
>> I can conceptualize a cluster or even simple fail over using  
>> heartbeat for
> the database bit.
>
> No need.
>
>> What I don't understand is how the failover and load balancing is  
>> done on
> the freeradius level (i.e. for auth) and still enter a single IP for
> freeradius on the NAS.
>
> It's not done that way. Your NAS should have primary and backup radius
> servers defined. Almost any NAS should be able to handle that. It  
> will send
> requests to primary server until it stops responding; then it will  
> switch to
> secondary. This is all handled on NAS side - no freeradius  
> involvement (it
> is hard for a dead server to get involved). You can use single IP on  
> the NAS
> and configure a cluster/hartbeat/etc. but it is a bit over the top.
>
>> Am I supposed to configure a virtual server on the first freeradius  
>> server,
> copy the config to the second machine,
>
> Yes. Two identical configurations using buffered-sql or
> ronust-proxy-accounting to send accounting to the database (or it's  
> backups)
> on top of default stuff. Even if you use load balancing (EAP can't  
> work that
> way - all EAP exchanges need to go to the same server) you don't  
> need to
> proxy accounting from one server to the other - both will read/write  
> to the
> same database(s).
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list