Scenario 2: Two Servers in Backup Mode

Using a replication process, this AAA Server configuration consists of two identical servers for authentication. The behavior is based on the primary/backup server concept used with RADIUS AAA.

Target Environment

  • This deployment is targeted at medium-scale user environments with a user population ranging from 0 - 100,000.
  • All the user credentials are in up to two physical locations.
  • Requires high availability/fault tolerance.

In comparison with the standalone server deployment detailed in the previous section, this deployment allows for higher availability of the authentication system. If the primary server fails, then the backup server is ready to perform the identical authentication service. This deployment maximizes performance.

Network Overview

 

Deployment Issues

Topic Description

Behavior when one server goes down

At the NAS level, the authentication requests are diverted to the backup server.

Behavior when the server comes back up

When the server comes back up, the authentication ports do NOT open immediately. The server first starts the replication process between itself and the backup server. When this is complete, the authentication ports reopen.

Behavior when the servers lose connectivity

When the servers lose connectivity with the LDAP or the databases, the authentication ports close as authentication is impossible. A thread continues to run and attempts to reconnect every N-seconds, depending on the configuration of the timeout.

When the servers lose connectivity with each other, the authentication ports remain open and re-connection is attempted every N-seconds, depending on the configuration of the timeout.

The default value for N is five seconds.

Synchronization (both configuration changes from administration console and runtime changes due to authentication attempts)

Authentication Synchronization: This is performed by the AAA Servers and occurs as long as the two servers have connectivity.

Configuration Synchronization: This is performed by exporting data from the AAA Server Administration Console.

Configuration changes made using the AAA Server Administration Console must be exported to the master server AND to the backup server, as the configuration of the two servers is not synchronized automatically.

AAA Server Configuration

Prerequisites: The AAA Server is installed and configured as detailed in Installing the AAA Server for Remote Access.

  1. To define the backup server for the primary AAA Server authentication server, select the Replication option in the primary server's configuration window.

    When you select Use Backup Server, the system automatically fills in the Backup Name, Administration Port, and the Roaming / Replication Port fields, taking those of the primary server.

  2. Either, enter the IP address of the backup server in the Administration IP Address field and export the data so that new configuration is applied.
  3. Or, to manage traffic through another network, enter the IP address in the Roaming / Replication IP Address field.
  4. Export the new configuration.