Applies To:

Show Versions Show Versions

Manual Chapter: AAA and Configuring High Availability
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Configuring AAA high availablity

Using AAA high availability with Access Policy Manager®, you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual. The Access Policy Manager supports the following authentication servers for high availability: RADIUS, LDAP, CRLDP, and TACACS+.

Note: Although new authentications will fail if the BIG-IP system loses connectivity to the server, existing sessions are unaffected as long as they do not attempt to re-authenticate.

Guidelines for setting up RADIUS authentication for AAA high availability

When you use RADIUS as the authentication method for AAA high availability, there are general guidelines that you must follow when you set up your server connections.

  • In a non high availability environment, both the Direct and Use Pool options use the self IP address as a source IP address of the packet reaching the RADIUS server. For this scenario, you just need to add one IP address to the RADIUS allowed IP list to achieve this.
  • In a high availability environment where the Use Pool option is used, the floating self IP address is used as a source IP of the RADIUS packet reaching the back-end. For this scenario, you need to add one self IP address (which is floating self IP address) to the RADIUS allowed IP list because the IP address is used even after a failover occurs.
  • In a high availability environment where the Direct option is used, the self IP address is used as a source IP address of the RADIUS packet reaching the back-end. In this scenario, you need to add the self IP address from both active and standby units to the RADIUS allowed IP list so that when failover occurs, the self IP address from the second box is accepted by the RADIUS server.

Task summary for configuring AAA high availability

To set up this configuration, follow the procedures in the task list.

Task List

Setting up a AAA server object for high availability

You can set up high availability for these authentication server types only: RADIUS, LDAP, CRLDP, and TACACS+. When setting up high availability for these server types, specify IP addresses of pool members that you want to use as part of this feature.
  1. On the Main tab, expand Access Policy > AAA Servers . The AAA server list screen opens.
  2. From the AAA Servers by Type menu, choose the server type you want to create. A screen listing existing servers of that type opens.
  3. Type a name for the authentication server you are creating.
  4. For the Server Connection setting, select Use Pool. The Use pool option is displayed only when you are configuring RADIUS, LDAP, CRLDP, and TACACS+ server types because high availability is supported for these server types only.
  5. Type a name for the server pool.
  6. For the Server Addresses setting, type in the IP addresses of the pool members, and click Add.
  7. If you selected Use Pool, you have the option to select a monitor to track the health of the AAA server.
  8. Specify all settings based on the authentication server that you selected.
  9. Click Finished to add the new server to the configuration, and return to the main screen.

Testing AAA high availability for supported authentication servers

To effectively test that high availability works for your authentication servers, you should have two servers that are accessible, where you can remove one of them from the network.
Note: High availability is supported for these authentication server types only: RADIUS, LDAP, CRLDP, and TACACS+.
  1. Begin a TCPDump on the Access Policy Manager, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
  2. Log in to the virtual server with both servers active.
  3. Verify using the TCP dump that the requests are being sent to the higher priority server.
  4. Log out of the virtual server.
  5. Disable the higher-priority server.
  6. Log in to the virtual server again.
  7. Verify that the request is being sent to the other server.
  8. Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.

Upgrading an Access Policy Manager high availability failover pair

To ensure that upgrading a failover pair is successful, make sure that the Local Traffic Manager active/standby units were configured correctly if you are migrating from a previous version.
Attention: During the upgrade, all users currently logged on to the system will have to log on again.
  1. Connect to a standby unit of a failover pair.
  2. Upgrade the standby unit.
  3. Press Force offline on the unit to trigger a failover to this newly upgraded unit. The newly upgraded unit will take over as the active unit.
  4. Once the upgraded unit takes over as active, restart the upgraded unit. This extra step of additional restart is required to flush out any of the old sessions which may been introduced from the the previously active unit from an older version of the software.
  5. Wait for the upgraded unit to come back up.
  6. Once the upgraded unit becomes the active unit, bring the other unit back online by pressing Release offline. This unit is now the standby unit.
  7. Upgrade the standby unit.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)