08-02-2009 05:35 AM
RADIUS is a vital part of our authentication infrastructure. I would like to use radius server load balancing to ensure the service is as fast and as reliable as possible. Is it possible to do an application health check / layer 7 health check for radius servers?
08-02-2009 06:08 AM
It is no problem to monitor radius servers using radius health checks. The ServerIron is able to send authentication requests to the radius servers to validate their availability. Out of the documentation:
The ServerIron sends an authentication request with a user name, password, and key to the RADIUS server. The account information does not need to be valid for the server to pass the health check. In fact, to prevent someone from learning account information by observing the ServerIron’s RADIUS health check, Foundry Networks recommends you use invalid information.
If the server replies with the result code “ACCEPT” or “REJECT, the ServerIron considers the port to be ok and marks it ACTIVE.
If the server does not reply or the server Sends an ICMP “Destination Unreachable” message, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not reply with “ACCEPT” or ”REJECT”, the ServerIron marks the RADIUS port FAILED and removes the server from rotation for RADIUS services.
Configuring RADIUS Health Check Values
You can define the RADIUS parameters that the ServerIron sends to a RADIUS application port in the Layer 7 health check. The RADIUS health check requests a specific user name, password, and authentication key from the RADIUS server. To specify these values, use one of the following methods.
To configure the parameters for a RADIUS health check, enter commands such as the following at the Real Server level of the CLI:
ServerIron(config-rs-rocket)#port radius username evil
ServerIron(config-rs-rocket)#port radius password woody
ServerIron(config-rs-rocket)#port radius key laser
Syntax: port radius username <string>
Syntax: port radius password <string>
Syntax: port radius key <string>