[RADIATOR] Load balancing EAP (radiator Digest, Vol 61, Issue 15)
dmrz at illinois.edu
Fri Jun 20 14:00:52 CDT 2014
On 06/19/2014 11:26 PM, Barry Ard wrote:
> I have been asked to investigate the possibility of using our F5 load
> balancers in our wireless infrastructure. We currently have 2 large servers
> and load balance using the EAPBalance handler. We currently allow the PEAP
> and TTLS EAP types.
I'm currently running Radiator behind a load balancer (not F5) and it's
working well. The key issues for me were:
* make sure vip port consistently maps each client IP to the same real
server, to avoid breaking EAP conversations.
[there might be other ways to do this with better granularity,
especially if your load balancer comprehends EAP, but I took the path of
maximum safety. We have enough distinct wireless controllers that
mapping each entire controller to one RADIUS server at a time is fine.]
* Important exception: make sure this mapping is automatically adjusted
whenever a real server port goes down _or_ comes back up!
[I spent a while testing different ways to configure the load balancer
behavior until I found one that behaved well in this regard. Not F5 so
I can't help with details, just make sure you do plenty of testing.]
* use actual RADIUS requests for the health check, and make sure you
configure Radiator to answer them in such a way that any failure mode
which would prevent real wireless auths from working will also cause the
health check to fail.
[e.g. if you depend on a back-end connection to Active Directory, as I
do, make sure your health check exercises that.]
> Our goals are:
> 1. With multiple servers behind the load balancers we will be able to
> remove one from use for maintenance without impacting service.
> 2. We also hope that we may be able to have a single SSL cert so that when
> the next HeartBleed like event happens updating certs on 2 servers won't
> have our user base freaking out.
Yes, but this shouldn't require load balancing; you can always install
the same SSL cert and key on as many Radiator boxes as you want. A
wireless supplicant only cares about the name (Subject CN) on the
certificate; it never even knows the DNS hostname or IP address of the
RADIUS server, so (unlike with a webserver) it doesn't matter if the DNS
hostname matches the cert or not.
More information about the radiator