ACS and Load Balancer

t.waibel · ‎02-23-2009

Hi,

we want to rebuilt our design. In the future we want to have 4 ACS server behind a pair of load balancer. Does anybody knows whether the ASC server works with a load balancer.

thanks for your answers.

Torsten Waibel

Collin Clark · ‎02-23-2009

Yes it does! We will be deploying 4 ACS servers behind an ACE shortly.

Hope that helps.

t.waibel · ‎02-23-2009

Hi,

thanks for your answer. normally we are working with f5 load balancers. so it should also work with them.

bye

Torsten

darpotter · ‎02-25-2009

What might not be immediately obvious is that some protocols will load balance better than others.

Most LBs use a "sticky" timer to ensure that multi-message authentication exchanges (like EAP) will get routed to the same ACS server.

Thats OK, but sticky timers are normally measured in seconds.

ACS may keep 802.1x/SSL session state for hours with supplicants performing periodic re-keying over the session lifetime.

A worst case example: a wireless lan secured using a one-time password like RSA. If a periodic rekey goes to the wrong ACS (that doesnt hold the session state) it will trigger a new full authentication and result in the user having to dig out their RSA token again.

Just something to bear in mind.. the sticky timer needs to be as long as the re-key/re-authenticate time.

t.waibel · ‎02-25-2009

Thanks darpotter.

we use the ACS server only for TACACS and RADIUS Authentication, Authorization and Accounting. So we need to know whether a f5 load balancer will work together with 4 ACS server. Will the load balancer distribute the requests from one router round robin to all ACS server or will only one ACS server be responsible for the requests from a router.

Collin Clark · ‎02-26-2009

Good point, we sticky by source IP.