load balancing radius with F5 devices

Alex Sharaz alex.sharaz at york.ac.uk
Wed Oct 9 10:41:19 CEST 2013


Hi,

Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. 

As far as I'm aware ( systems section support the F5 boxes)

1). We're using round robin to spread the load over 2 back end radius servers.
2). There is some "general" sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the "stuck" time. Not sure what happens when you get to the end of the time interval though.

According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers.  However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general,  all wireless RADIUS auths head for the same back end server.

I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests.

Rgds
Alex



More information about the Freeradius-Users mailing list