load balancing radius with F5 devices

Olivier Beytrison olivier at heliosnet.org
Wed Oct 9 11:25:02 CEST 2013


On 09.10.2013 10:41, Alex Sharaz wrote:
> Hi,
> 
> Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. 

I have f5 loadbalancers but atm I don't use them for our RADIUS trafic

> As far as I'm aware ( systems section support the F5 boxes)
> 
> 1). We're using round robin to spread the load over 2 back end radius servers.
> 2). There is some "general" sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the "stuck" time. Not sure what happens when you get to the end of the time interval though.

Point 2 should be setup carefully. I recommend using the iApp to deploy
your radius through the f5 [1] (they use Freeradius as an example)

> I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests.

You can play with an iRule to statically assign one of your two pool
member to your RAS servers. you can even decode the radius packet and
base your load-balancing decision based on radius attributes [2]

As you said, the most important thing is to ensure that a Client/NAS
always talk to the same pool member, otherwise EAP won't work.

Olivier

[1] http://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf
[2]
https://devcentral.f5.com/articles/radius-aware-load-balancing-via-irules#.UlUfIobjx1Y
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org


More information about the Freeradius-Users mailing list