ACS and Load Balancer

Unanswered Question
Feb 23rd, 2009


we want to rebuilt our design. In the future we want to have 4 ACS server behind a pair of load balancer. Does anybody knows whether the ASC server works with a load balancer.

thanks for your answers.

Torsten Waibel

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Mon, 02/23/2009 - 09:23

Yes it does! We will be deploying 4 ACS servers behind an ACE shortly.

Hope that helps.

t.waibel Mon, 02/23/2009 - 23:47


thanks for your answer. normally we are working with f5 load balancers. so it should also work with them.



darpotter Wed, 02/25/2009 - 02:06

What might not be immediately obvious is that some protocols will load balance better than others.

Most LBs use a "sticky" timer to ensure that multi-message authentication exchanges (like EAP) will get routed to the same ACS server.

Thats OK, but sticky timers are normally measured in seconds.

ACS may keep 802.1x/SSL session state for hours with supplicants performing periodic re-keying over the session lifetime.

A worst case example: a wireless lan secured using a one-time password like RSA. If a periodic rekey goes to the wrong ACS (that doesnt hold the session state) it will trigger a new full authentication and result in the user having to dig out their RSA token again.

Just something to bear in mind.. the sticky timer needs to be as long as the re-key/re-authenticate time.

t.waibel Wed, 02/25/2009 - 02:16

Thanks darpotter.

we use the ACS server only for TACACS and RADIUS Authentication, Authorization and Accounting. So we need to know whether a f5 load balancer will work together with 4 ACS server. Will the load balancer distribute the requests from one router round robin to all ACS server or will only one ACS server be responsible for the requests from a router.


This Discussion