load balancing radius with F5 devices

Vincent, Fabien fabien.vincent at coreye.fr
Wed Oct 9 12:12:36 CEST 2013 

Hi,

Just to give some infos if I can help (this mailing has helped me a lot !) 

I have F5 BigIP devices in two 2 DCs. They have each a VirtualServer with a shared IP (not activated in VLANs used to communicate between the 2 DC to avoid IP conflits, a much simple config for NAS - only one IP address for server).

Everything works fine with the following config :

The Virtual Server ( IP is A.B.C.D has it's public for external DC .......)

ltm virtual /Common/VS-RADIUS-AUTH {
    destination /Common/A.B.C.D:1812
    ip-protocol udp
    mask 255.255.255.255
    pool /Common/POOL-RADIUS-AUTH
    profiles {
        /Common/radiusLB { }
        /Common/udp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vlans {
	[...]
    }
    vlans-enabled
}

The pool used :

ltm pool /Common/POOL-RADIUS-AUTH {
    members {
        /Common/10.10.6.7:1812 {
            address 10.10.6.7
        }
        /Common/10.20.6.3:1812 {
            address 10.20.6.3
        }
    }
    monitor /Common/Radius-Auth
}

The monitor : 

ltm monitor radius /Common/Radius-Auth {
    debug no
    defaults-from /Common/radius
    destination *:*
    interval 30
    nas-ip-address 10.16.81.11
    password Monitor
    secret **************
    time-until-up 0
    timeout 31
    username radius at domain
}

Profile radiusLB is the following :

ltm profile radius radiusLB {
    clients none
    persist-avp none
}

And one other not used but available in default config.

ltm profile radius radiusLB-subscriber-aware {
    defaults-from radiusLB
    subscriber-aware enabled
}


If I look at pool statistics, each servers has equivalent volume of requests (48.1k against 48.2k).

You could play with Priority Group depending location or failover architecture of Radius if you want ....

Fabien VINCENT
Ingénieur Réseaux & Sécurité / ASSR Produits
Niveau 3 - Infrastructure & Produits
fabien.vincent at coreye.fr



De : freeradius-users-bounces+fabien.vincent=coreye.fr at lists.freeradius.org [mailto:freeradius-users-bounces+fabien.vincent=coreye.fr at lists.freeradius.org] De la part de Michael Schwartzkopff
Envoyé : mercredi 9 octobre 2013 11:17
À : FreeRadius users mailing list
Objet : Re: load balancing radius with F5 devices

Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz:
> Hi,
> 
> Is anyone out there load balancing RADIUS with an F5 load balancer? We're
> doing it here, but I can't help thinking that the actual load balancing
> algorithm need some tweaking.
> 
> As far as I'm aware ( systems section support the F5 boxes)
> 
> 1). We're using round robin to spread the load over 2 back end radius
> servers. 2). There is some "general" sticky persistence so that once a RAS
> device starts talking to a particular back end server it continues to talk
> to that server for a predetermined length of time ( might be an hour, not
> sure). This ensures that an eap dialogue will always talk to the same back
> end server for the duration of the "stuck" time. Not sure what happens when
> you get to the end of the time interval though.
> 
> According to the F5 statistics, overall radius traffic seems to be shared
> evenly over the 2 back end servers. However, our most heavily loaded RAS
> client is our wireless network. While we have 900 switches doing mac and
> 802.1x based auth, we can have 6000+ users on our wireless network all
> authenticating to RADIUS via 3 RAS clients. Looking at the back end server
> log files, it does look as if, in general, all wireless RADIUS auths head
> for the same back end server.
> 
> I was wondering if there's a way off having a bit more granularity in terms
> of how the f5 load balances incoming RADIUS requests.
 
 
You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application.
 
Greetings,
 
-- 
Mit freundlichen Grüßen,
 
Michael Schwartzkopff
 
-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Freeradius-Users mailing list