Loadbalancing and failover using different servers

Juan Perez juan_perez at hotmail.ch
Fri Jan 14 14:54:29 CET 2011

> Juan Perez wrote:
> > I want to implement a RADIUS load-balancing and failover scenario using
> > FreeRadius and Cisco ACS. The idea I have in mind is to have these two
> > servers answering to RADIUS requests in a round-robin fashion and should
> > one of them for some reason go down, the other one would take care of
> > answering to the RADIUS requests.
> You will need a load balancer in front of the two servers.
> > Have any of you implemented such an scenario, using FreeRadius together
> > with another RADIUS server from a different vendor? If so, what are the
> > main problems you found doing this (incompatibility, high-maintenance
> > costs, effort, etc)?
> > 
> > I'd be very glad to hear from you as to why such an scenario
> > make/doesn't make sense.
> I don't see why you would put two different servers into one
> load-balance pool. And even worse, pairing a horrible server with a
> great one!
> Alan DeKok.

Hi Alan,
Ok, it is actually two scenarios, one with the load-balancer, and another one with the failover, but I'm more interested in the failover part.  
You don't have to convince me of FreeRadius being the best RADIUS server around, that I know already but the idea behind pairing FreeRadius with a horrible server is as follows. 
Let's suppose that I have two servers running the latest and shiniest version of FreeRadius and for some reason there is a bug in FreeRadius that causes the server to crash when a specially crafted RADIUS packet is received. Let's suppose that there is also an attacker (a disglunted employee maybe?), who knows about this bug and decides to attack my FreeRadius servers, so he starts sending these specially crafted packets to each server and since the two servers have the same bug, both of them would die upon receiving these packets. 
If I have two servers from different vendors, I could thus hopefully guarantee that at least the horrible server would continue working while an attack targeted at FreeRadius is going on. The horrible server doesn't need to be necessarily a Cisco ACS, any other horrible server would do it (Microsoft IAS, Steel-Belted, etc).
So, does it make sense now or is the idea too stupid to be even considered?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110114/f3e72055/attachment.html>

More information about the Freeradius-Users mailing list