Applies To:

Show Versions Show Versions

Manual Chapter: AAA and Configuring High Availability
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Configuring AAA high availability

Using AAA high availability with Access Policy Manager®, you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual. The Access Policy Manager supports the following authentication servers for high availability: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+.

Note: Although new authentications fail if the BIG-IP® system loses connectivity to the server, existing sessions are unaffected provided that they do not attempt to re-authenticate.

Guidelines for setting up RADIUS authentication for AAA high availability

When you use RADIUS as the authentication method for AAA high availability, there are general guidelines that you must follow when you set up your server connections.

  • In a non-high availability environment, both the Direct and Use Pool options use the self IP address as a source IP address of the packet reaching the RADIUS server. For this scenario, you just need to add one IP address to the RADIUS allowed IP list to achieve this.
  • In a high availability environment where the Use Pool option is used, the floating self IP address is used as a source IP of the RADIUS packet reaching the back-end. For this scenario, you need to add one self IP address (which is floating self IP address) to the RADIUS allowed IP list because the IP address is used even after a failover occurs.
  • In a high availability environment where the Direct option is used, the self IP address is used as a source IP address of the RADIUS packet reaching the back-end. In this scenario, you need to add the self IP address from both active and standby devices to the RADIUS allowed IP list so that when failover occurs, the self IP address from the second device is accepted by the RADIUS server.

Task summary for configuring AAA high availability

To set up this configuration, follow the procedures in the task list.

Task list

Setting up a AAA Active Directory server object for high availability

  1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
  2. From the AAA Servers by Type menu, choose the server type you want to create. A screen listing existing servers of that type opens.
  3. Click Create. The New Server properties screen opens.
  4. In the Name field, type a unique name for the authentication server.
  5. In the Domain Name field, type the name of the Windows Domain.
  6. For Server Connection, select Use Pool.
  7. Type a name in the Domain Controller Pool Name field.
  8. Specify the Domain Controllers to include in the pool by typing the IP address and hostname for each one and clicking the Add button.
  9. To monitor the health of the AAA server, you have the option to select a health monitor. Only the gateway_icmp monitor is appropriate in this case; you can select it from the Server Pool Monitor list.
  10. In the Admin Name field, type an administrator name that has Active Directory administrative permissions. APM uses the information in the Admin Name and Admin Password fields for AD Query. If Active Directory is configured for anonymous queries, you do not need to provide an Admin Name. Otherwise, APM needs an account with sufficient privilege to bind to an Active Directory server, fetch user group information, and fetch Active Directory password policies to support password-related functionality. (APM must fetch password policies, for example, if you select the Prompt user to change password before expiration option in an AD Query action.) If you do not provide Admin account information in this configuration, APM uses the user account to fetch information. This works if the user account has sufficient privilege.
    Note: The administrator name is case-sensitive.
  11. In the Admin Password field, type the administrative password for the server.
  12. In the Verify Admin Password field, re-type the administrative password for the server.
  13. In the Timeout field, type a timeout interval (in seconds) for the AAA server. This setting is optional.
  14. Click Finished to add the new server to the configuration, and return to the main screen.
This adds the new Active Directory server to the AAA Server List.

Setting up a AAA server object for high availability

Use this procedure to set up high availability for these authentication server types only: RADIUS, LDAP, CRLDP, and TACACS+. When setting up high availability for these server types, specify IP addresses of pool members that you want to use as part of this feature.
  1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
  2. From the AAA Servers by Type menu, choose the server type you want to create. A screen listing existing servers of that type opens.
  3. In the Name field, type a unique name for the authentication server.
  4. For the Server Connection setting, select Use Pool.
  5. Type a name for the server pool.
  6. For the Server Addresses setting, type in the IP addresses of the pool members, and click Add.
  7. You have the option to select a Server Pool Monitor to track the health of the AAA server.
  8. Specify any additional settings based on the authentication server that you selected. See online help for more information.
  9. Click Finished to add the new server to the configuration, and return to the main screen.

Testing AAA high availability for supported authentication servers

To effectively test that high availability works for your authentication servers, you should have two servers that are accessible, where you can remove one of them from the network.
Note: High availability is supported for these authentication server types only: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+.
  1. Begin a tcpdump on the Access Policy Manager®, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
  2. Log in to the virtual server with both servers active.
  3. Using the tcpdump records, verify that the requests are being sent to the higher priority server.
  4. Log out of the virtual server.
  5. Disable the higher-priority server.
  6. Log in to the virtual server again.
  7. Verify that the request is being sent to the other server.
  8. Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.

Upgrading an Access Policy Manager high availability failover pair

To ensure that upgrading a failover pair is successful, make sure that the Local Traffic Manager active-standby units were configured correctly if you are migrating from a previous version.
Attention: During the upgrade, all users currently logged on to the system will have to log on again.
  1. Connect to a standby unit of a failover pair.
  2. Upgrade the standby unit.
  3. Press Force offline on the unit to trigger a failover to this newly upgraded unit. The newly upgraded unit will take over as the active unit.
  4. Once the upgraded unit takes over as active, restart the upgraded unit. This extra step of additional restart is required to flush out any of the old sessions which may been introduced from the previously active unit from an older version of the software.
  5. Wait for the upgraded unit to come back up.
  6. Once the upgraded unit becomes the active unit, bring the other unit back online by pressing Release offline. This unit is now the standby unit.
  7. Upgrade the standby unit.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)