02-23-2009 06:20 AM - edited 03-10-2019 04:20 PM
Hi,
we want to rebuilt our design. In the future we want to have 4 ACS server behind a pair of load balancer. Does anybody knows whether the ASC server works with a load balancer.
thanks for your answers.
Torsten Waibel
02-23-2009 09:23 AM
Yes it does! We will be deploying 4 ACS servers behind an ACE shortly.
Hope that helps.
02-23-2009 11:47 PM
Hi,
thanks for your answer. normally we are working with f5 load balancers. so it should also work with them.
bye
Torsten
02-25-2009 02:06 AM
What might not be immediately obvious is that some protocols will load balance better than others.
Most LBs use a "sticky" timer to ensure that multi-message authentication exchanges (like EAP) will get routed to the same ACS server.
Thats OK, but sticky timers are normally measured in seconds.
ACS may keep 802.1x/SSL session state for hours with supplicants performing periodic re-keying over the session lifetime.
A worst case example: a wireless lan secured using a one-time password like RSA. If a periodic rekey goes to the wrong ACS (that doesnt hold the session state) it will trigger a new full authentication and result in the user having to dig out their RSA token again.
Just something to bear in mind.. the sticky timer needs to be as long as the re-key/re-authenticate time.
02-25-2009 02:16 AM
Thanks darpotter.
we use the ACS server only for TACACS and RADIUS Authentication, Authorization and Accounting. So we need to know whether a f5 load balancer will work together with 4 ACS server. Will the load balancer distribute the requests from one router round robin to all ACS server or will only one ACS server be responsible for the requests from a router.
02-26-2009 06:14 AM
Good point, we sticky by source IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide