load balancing radius with F5 devices

Michael Schwartzkopff ms at sys4.de
Wed Oct 9 11:17:22 CEST 2013 

Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz:
> Hi,
> 
> Is anyone out there load balancing RADIUS with an F5 load balancer? We're
> doing it here, but I can't help thinking that the actual load balancing
> algorithm need some tweaking.
> 
> As far as I'm aware ( systems section support the F5 boxes)
> 
> 1). We're using round robin to spread the load over 2 back end radius
> servers. 2). There is some "general" sticky persistence so that once a RAS
> device starts talking to a particular back end server it continues to talk
> to that server for a predetermined length of time ( might be an hour, not
> sure). This ensures that an eap dialogue will always talk to the same back
> end server for the duration of the "stuck" time. Not sure what happens when
> you get to the end of the time interval though.
> 
> According to the F5 statistics, overall radius traffic seems to be shared
> evenly over the 2 back end servers.  However, our most heavily loaded RAS
> client is our wireless network. While we have 900 switches doing mac and
> 802.1x based auth, we can have 6000+ users on our wireless network all
> authenticating to RADIUS via 3 RAS clients. Looking at the back end server
> log files, it does look as if, in general,  all wireless RADIUS auths head
> for the same back end server.
> 
> I was wondering if there's a way off having a bit more granularity in terms
> of how the f5 load balances incoming RADIUS requests.


You would need to use application layer load balancing on the BigIPs. But I 
don't think that you can configure this on the BigIPs. The RADIUS protocol is 
stateless, so there is no criteria in the application that a load balancer 
could use to balance inside the application.

Greetings,

-- 
Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131009/cad029df/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131009/cad029df/attachment.pgp>

More information about the Freeradius-Users mailing list