[RADIATOR] Load balancing EAP (radiator Digest, Vol 61, Issue 15)

David Zych dmrz at illinois.edu
Fri Jun 20 14:00:52 CDT 2014

On 06/19/2014 11:26 PM, Barry Ard wrote:
> I have been asked to investigate the possibility of using our F5 load
> balancers in our wireless infrastructure. We currently have 2 large servers
> and load balance using the EAPBalance handler. We currently allow the PEAP
> and TTLS EAP types.

I'm currently running Radiator behind a load balancer (not F5) and it's
working well.  The key issues for me were:

* make sure vip port consistently maps each client IP to the same real
server, to avoid breaking EAP conversations.
[there might be other ways to do this with better granularity,
especially if your load balancer comprehends EAP, but I took the path of
maximum safety.  We have enough distinct wireless controllers that
mapping each entire controller to one RADIUS server at a time is fine.]

* Important exception: make sure this mapping is automatically adjusted
whenever a real server port goes down _or_ comes back up!
[I spent a while testing different ways to configure the load balancer
behavior until I found one that behaved well in this regard.  Not F5 so
I can't help with details, just make sure you do plenty of testing.]

* use actual RADIUS requests for the health check, and make sure you
configure Radiator to answer them in such a way that any failure mode
which would prevent real wireless auths from working will also cause the
health check to fail.
[e.g. if you depend on a back-end connection to Active Directory, as I
do, make sure your health check exercises that.]

> Our goals are:
> 1.  With multiple servers behind the load balancers we will be able to
> remove one from use for maintenance without impacting service.


> 2. We also hope that we may be able to have a single SSL cert so that when
> the next HeartBleed like event happens updating certs on 2 servers won't
> have our user base freaking out.

Yes, but this shouldn't require load balancing; you can always install
the same SSL cert and key on as many Radiator boxes as you want.  A
wireless supplicant only cares about the name (Subject CN) on the
certificate; it never even knows the DNS hostname or IP address of the
RADIUS server, so (unlike with a webserver) it doesn't matter if the DNS
hostname matches the cert or not.


More information about the radiator mailing list