Home > Others

Server Load balancer solution for Radius servers

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Radius protocol Overview

RaidusRemote Authentication Dial In User Service) is an Authentication Service for remote Dial-up access users. The Radius Service is divided into clients and servers, typically as follows.

Usually, the Service port number of the Radius protocol is 1645 authentication), 1646 billing) or 1812 authentication), 1813 billing ).

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "height =" 141 "src =" http://www.bkjia.com/uploads/allimg/131227/0146344E2-0.png "/>

Radius communication uses UDP protocol in the "request-response" mode. That is, when a customer sends a request packet, the server returns the packet after receiving the packet. The packet format is as follows:

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image004 "border =" 0 "alt =" clip_image004 "height =" 338 "src =" http://www.bkjia.com/uploads/allimg/131227/0146343612-1.gif "/>

The main fields are described as follows:

  • Code: package type; 1 byte; indicates the RADIUS package type. Common package types are defined as follows:

1 Access-Request authentication process

2 Access-Accept-authentication response process

3 Access-Reject -- authentication rejection process

4 Accounting-Request billing process

5 Accounting-Response -- billing Response Process

  • Identifier: package ID; 1 byte; used to match request packets and response packets. The Identifier of the same group of request packets and response packets should be the same. The value range of this field is 0 ~ 255; provisions of the Agreement:
  • Length: the package Length; 2 bytes; the Length of the entire package.
  • Authenticator: verification word; 16 bytes; used to sign the package.
  • Attributes: attribute, such as user name, in the following format:

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" clip_image006 "border =" 0 "alt =" clip_image006 "height =" 163 "src =" http://www.bkjia.com/uploads/allimg/131227/0146345M6-2.gif "/>

Radius Server Load balancer

When the performance of a single Radius server is insufficient to meet user authentication requirements or to improve the availability of the authentication server, it is a matter of course to introduce a Server Load balancer. Server Load balancer for typical Radius servers.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; border-top: 0px; border-right: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "height =" 344 "src =" http://www.bkjia.com/uploads/allimg/131227/0146343Y5-3.png "/>

Due to the particularity of the Radius protocol, the Server Load balancer device needs the following functions to achieve an operational Server Load balancer:

  • Application-based health check. You must send an authentication request to identify the server as "up" only after it passes the authentication. In some cases, you also need to attach some Radius attributes to the request.
  • Server Load balancer Based on Radius messages. In typical applications, the number of Radius clients is usually small, such as the BRAS broadband access server in the man), but each client sends a large number of Radius Authentication billing data packets, the same source port is often used for sending. If a simple layer-4 UDP processing method is used, all the requests of one Radius client may arrive on one server, resulting in uneven server load and even overload of some servers. Therefore, the Server Load balancer device must be able to evenly distribute requests from the same IP address and the same source UDP port to multiple servers. The Radius ID field mentioned above can help solve this problem. The Server Load balancer device can perform Load Balancing Based on the Radius Client IP address, source port, and Radius ID.
  • Server persistence based on the Radius attribute. In practical applications, the Radius server requires server persistence based on specific radius attributes. For example, if the user name is used, all requests from the same user must be processed by the same server for a certain period of time, otherwise, it may cause billing problems. This requires the Server Load balancer device to parse all attribute fields, find the corresponding attribute, and create a table that corresponds to the allocated server. Source IP address-based persistence will cause all requests from a single client to be distributed to the same server. Therefore, it is not applicable to Radius Server Load balancer.
  • Authentication and billing requests are kept on the same server. Radius Authentication and billing use different UDP ports such as 1812 and 1813). The server requires that authentication and billing information from the same user be sent to ports 1812 and 1813 of the same server.
  • Speed limit. Restrict the Request Rate of a single server to protect the Radius server.
  • The CPU of the Server Load balancer device. Because the Radius client uses the same source IP address and source port, the CPU allocation method usually causes serious imbalance of the CPU of the Server Load balancer device itself, and even only one CPU is working. Therefore, the Server Load balancer requires that the Server Load balancer device can allocate CPU Based on the Radius ID to achieve higher performance.

Any of the above features may cause service unavailability, load imbalance, or even server paralysis. The application requirements of different users require the Server Load balancer device to flexibly select and maintain servers based on various Radius attributes. It is difficult for devices without the Custom Script Function to meet these requirements. In the future, we will introduce how to deploy the A10 ax product in the Radius Server Load balancer.

(R.s .)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More