FreeRadius high availability lab

Nathan Ward lists+freeradius at daork.net
Tue Nov 7 12:49:34 CET 2017


> On 8/11/2017, at 12:34 AM, Alan Buxey <alan.buxey at gmail.com> wrote:
> 
> what is your NGINX load balancer balancing, the RADIUS requests? if
> so, does it understand RADIUS?
> your SQL entry is a single box...just one single DB or is that an HA
> pair or more?  for high availability, you might be better off with
> eg REDIS/MoNGO style DB running on the RADIUS boxes themselves (all
> data sharded etc).  what sort of load
> are you talking about - why the 4 boxes etc - many questions before a
> random drawing showing a basic load balanced front end

Looks like a common, basic load balancer design done by someone who hasn’t been burned trying to do this sort of thing. Idealistic sort of thing from a lecturer maybe.

First thing I’d say is don’t have both load balancers sending traffic to all the RADIUS servers. You don’t gain much resiliency there except in the load balancer - if the pool of RADIUS servers dies for some reason (it will, at some point) you lose your service. Split the backends in to two pools, if you don’t have enough in each pool, get more - don’t merge the pools.

NGINX seems like a very odd choice for a load balancer, but, if you’re comfortable with it then maybe it’s ok..

Other than that, there are so, so many questions that need to be asked before you start drawing this sort of picture. In addition to the above:
- What is RADIUS doing? Auth? Accounting? Both?
- Can you accept lag in accounting getting to the DB? How much?
- Can you accept lag in password/user changes? How much?
- Can you accept accounting black spots? How long/often?
- What conditions cause your NAS to use the secondary server?
- Are you doing anything that requires shared state (i.e. IP address assignment, multiple login prevention, etc.)? How important is integrity here if you have to trade it for availability?

These are just some that I came up with off the top of my head.. there are many, many more that would come from the answers to these questions.. Don’t try and design your solution to cater for failure modes that don’t cause problems in your specific environment by adding needless complexity, as adding complexity will cause failures of its own.

--
Nathan Ward




More information about the Freeradius-Users mailing list