RADIUS, anycast, and high availability
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jun 26 14:53:33 CEST 2014
On 26/06/14 13:18, Jason Healy wrote:
> annoyed if (say) multiple packets in an EAP conversation don’t go to
> the same server.
Yes, that's absolutely a problem. All packets in an EAP conversation
must go to the same server, and ideally all future EAP sessions to allow
you take advantage of session resumption.
However, see below.
> Basically: has anyone else tried it? Or is this a Bad Idea and I
> just stick to regular multi-server with failover on the NAS?
A lot depends on how stable the routing is, and how many next-hops are
present, as well as how your routers hash between multiple next-hops
e.g. ip or ip + port.
Basically - if you're going to do this, ensure traffic to the anycast IP
only reaches one server from every point during stable operation. During
a routing change - which is presumably a failure event - packets will
flow differently, but that doesn't matter because it's a failover event
anyway.
Having said all that - I personally would not use anycast for radius.
Specify multiple servers on your NAS, and use some sort of sticky load
balancing or active/standby failover of those IPs.
More information about the Freeradius-Users
mailing list