Hi Nirmala,
I'm surprised that you see requests distributed among several of
the Radius Server, because the protocol itself doesn't support
loadbalancing :
XauthRADIUS Integration for CA Single Sign-On Installation and Configuration Version 6.3
RADIUS server failover
The RADIUS protocol does not provide for round robin or load
balancing of RADIUS servers;
SmXauthRADIUS Installation Guide.pdf
Are you sure you see requests distrubuted among all the Radius servers
? Don't you see only connections ? How do you see them ?
More, the config files seems to be ok :
Configuration File Format
1. IP Description:
• it begins with the name of the RADIUS server (comparisons are case insensitive)
• followed by a period
• followed by the word ip
• followed by an equals sign
• followed by the IP number
To enable RADIUS Server failover a space and an additional IP
address may be entered. An unlimited number of additional IP
addresses may be specified using this notation.
So said, if you see when starting the Policy Server with XAuthRadius
module, and you see requests going to all the defined Radius Servers,
then you should open a Support case by providing :
- Full Policy Server logs and traces
For the traces, enable the Profiler with all Components and all Data;
- radiusconfig file;
- Full Network traces from the Policy Server :
WireShark if running on Windows;
If running on Linux :
D.3. tcpdump: Capturing with "tcpdump" for viewing with Wireshark
tcpdump -i <interface> -s 65535 -w <some-file>
https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html If running on Unix :
snoop
snoop -r -o arp11.snoop -q -d nxge0 -c 150000
https://wiki.wireshark.org/snoopand precise us the Policy Server, XAuthRadius, OS and Radius server versions.
I hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 06-26-2019 03:26 AM
From: Nirmala V
Subject: XAuthRadius Failover Issue
Hi Patrick,
The radiusconfig file looks as below in our environment. When I say disable NPS, I am removing the IP's from the list.
default.ip=<NPS IP1> <NPS IP2> <NPS IP3>
default.secret=**********
default.port=1645
default.timeout=300
default.retries=5
default.reactivate=300
With respect to disabling MFA and testing only Auth scheme, we are trying to replicate this issue in our lower environment as the main issue was faced in Prod and we cannot impact Prod users. We are seeing if we can replicate the issue in lower environment.
Any suggestions would really help here.
Thanks,
Nirmala
Original Message:
Sent: 06-26-2019 02:28 AM
From: Patrick Dussault
Subject: XAuthRadius Failover Issue
Hi Nirmala,
As you run XAuthRadius integrated with MFA, could you test without MFA
and have only the Authentication Scheme with Radius enable and see if
you still see the requests distributed to both NPS ?
You mentioned :
"When we disable multiple NPS IP's in radiusconfig [...]"
Could you share with us the config file ?
Best Regards,
Patrick
Original Message:
Sent: 06-25-2019 03:46 AM
From: Nirmala V
Subject: XAuthRadius Failover Issue
Hi Team,
Any suggestions on this issue please?
Thanks,
Nirmala
Original Message:
Sent: 06-20-2019 01:25 PM
From: Nirmala V
Subject: XAuthRadius Failover Issue
Hi All,
We have XAuthRadius v6.2 integrated with our CA SSO R12.7 infrastructure. The setup is to enable MFA and is integrated with NPS server serving as Radius server and CA SSO PS is Radius client. The configuration is working as expected.
However, we have run into an issue with respect to failover. As per the XAuthRadius document, load balancing is not supported and request fails over to 2nd NPS server when 1st fails. However, we are seeing concurrent sessions to both NPS servers, resulting in CA SSO PS going unresponsive. When we disable multiple NPS IP's in radiusconfig file and have a single NPS IP, there is no issue.
Has anyone faced similar issues earlier? Any suggestions/inputs is greatly appreciated.
------------------------------
Thanks and Regards,
Nirmala
------------------------------