LSNAT and NAC Config

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
There use to be a discussion on the hub about LSNAT and NAC but I can't find it.  I am attempting to setup LSNAT to load balance between our 4 NAC appliances with 9,000 end systems.  Anyway, if nothing is available, once I get a working config, I will post it so it can help others set this up.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,740 Points 2k badge 2x thumb
Jeremy,

You can actually set up RADIUS load balancing right on the EXOS or EOS switch as well. It can also be configured through NAC Manager in the Configuration tab. See attached picture. There is also a section in the NAC User Guide that covers configuring Load Balancing.

Tyler



Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
I have had that setup before, works well.  I was going to try to use LSNAT because I wanted to LB our AD servers also, and I want to use NAC as a test.  Basically, we have had several DC outages and it takes a little while for NAC to try another AD server for authentication.  So LSNAT would take care of that and also spread the load out over our AD infrastructure so all auths aren't hitting our primary AD DC.  I am about to turn 802.1x on everywhere, so LDAP auths are about to go way, way up.  Just want to make sure everything is evenly distributed and failures are transparent to users before we flip the 802.1x switch on all wired ports.  Otherwise, 802.1x in my testing is working flawlessly. 
Photo of Francois Scheun

Francois Scheun

  • 520 Points 500 badge 2x thumb
Hi Jeremy

We've played around with this and implemented below which worked for us.

 probe ping icmp
  description "check server availability"
  inservice
  exit
!
 ip slb real-server access unrestricted
!
 ip slb serverfarm "name"
  real x.x.x.x port 1812
   faildetect probe one ping
   inservice
   exit
  real x.x.x.xx port 1812
   faildetect probe one ping
   inservice
   exit
  exit
!
 ip slb vserver "name"
  virtual y.y.y.y udp 1812
  serverfarm "name"
  udp-one-shot
  inservice
  exit
!
!

Let me know how it works out.

Regards,
Francois