-
Cisco NAC Guest Server Installation and Configuration Guide, Release 1.1.2
-
About This Guide
-
Welcome to Cisco NAC Guest Server
-
Installing Cisco NAC Guest Server
-
System Setup
-
Configuring Sponsor Authentication
-
Configuring User Group Permissions
-
Configuring Guest Policies
-
Integrating with Cisco NAC Appliance
-
Configuring RADIUS Clients
-
Guest Account Notification
-
Customizing the Application
-
Backup and Restore
-
Replication and High Availability
-
Logging and Troubleshooting
-
Licensing
-
Sponsor Documentation
-
Open Source License Acknowledgements
-
Table Of Contents
Replication and High Availability
Replication and High Availability
To provide high availability, the Cisco NAC Guest Server solution can be configured so that a pair of units synchronize their databases between one another. This provides the ability for the solution to carry on working in the event of loss of connectivity or failure to a single unit.
High availability is provided in an active/active scenario, where both Cisco NAC Guest Servers can service requests from sponsors or network devices at the same time. This capability also allows you to load balance the requests between the boxes.
Note
Not all system settings are replicated. Refer to Data Replicated to review which settings are not replicated.
Note
This chapter includes the following sections:
Setting Up Replication
Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device will be first set to delete all its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial install time of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation.
Warning
Once one of the Guest Servers has received a copy of the data from the other device they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server.
All communication between the Cisco NAC Guest Servers is encrypted using SSL and runs over TCP destination port 5432.
Step 1
Step 2
Figure 12-1 Replication Settings
Step 3
Step 4
Step 5
Note
Step 6
Warning
Step 7
Step 8
Configuring Provisioning
When the Cisco NAC Guest Server provisions accounts in other systems, such as the Clean Access Manager, only one of the Guest Servers should be performing the provisioning at any one time.
One Cisco NAC Guest Server should be defined as the primary and the other as the secondary. The server set to primary will perform the provisioning by default. If a server is set to secondary it will check the status of the primary server, if it fails to contact the primary server three times then it will perform the provisioning. This process happens every minute when the provisioning service runs.
Step 1
Figure 12-2 Configuring Provisioning Order
Step 2
Step 3
Note
Replication Status
At any moment in time you can check the replication status of the Cisco NAC Guest Servers. This is useful to make sure replication is happening as you want it to.
Step 1
Figure 12-3 Replication Status
At the bottom of the page is the Replication Status. You can check the status of replication and how many changes need to be replicated between each device.
Recovering from Failures
Network Connectivity
When the network connectivity between two Cisco NAC Guest Servers fails the Cisco NAC Guest Servers will store up to 1GB of changes. When connectivity is restored if the amount of changes is less than 1GB they will synchronize with each other. If more than 1GB of changes are stored the Cisco NAC Guest Server will stop the replication process and you will need to setup replication again.
Device Failure
If one of the Cisco NAC Guest Servers in a replication pair fails and needs to be replaced, you should set up replication with the working server and the data will be re-synchronized to the device.
Warning
Step 1
Figure 12-4 Resetting Replication
Step 2
Step 3
Deployment Considerations
Connectivity
The Cisco NAC Guest Servers need to be provided with IP connectivity between the units. Cisco recommends making the network path between the devices resilient so that synchronization can always be performed. However if the devices become disconnected they will continue to function and store changes until they are connected back together and can re-establish communication. At that point they will re-synchronize databases.
Depending on the amount of activity that your Cisco NAC Guest Server performs you need to make sure that there is enough bandwidth between the server to enable synchronization to occur as rapidly as possible.
You can test connectivity by creating a large amount of accounts and watching how quickly the appliances synchronize by watching the status on the replication screen (Figure 12-3).
Load Balancing
Web Interface
Sponsor and Administration sessions can be services by both Cisco NAC Guest Servers when configured for replication. The Cisco NAC Guest Server however does not perform any redirection or automatic load balancing of requests.
To enable requests to both Cisco NAC Guest Servers concurrently, you must implement an external load balancing mechanism. Options include:
•
•
•
RADIUS Interface
The RADIUS interface on either Cisco NAC Guest Server can take requests at the same time.
Cisco recommends configuring one Cisco NAC Guest Server to be the primary for some RADIUS clients and the other Cisco NAC Guest Server to be the primary for the other RADIUS clients. For failover the RADIUS clients can have secondary RADIUS servers defined as the other Cisco NAC Guest Server if they support configuration of two servers.
Data Replicated
Cisco NAC Guest Server Replication replicates data that is stored in the database between replication pairs. The information in Table 12-1 is not replicated and is locally defined on each Cisco NAC Guest Server.
