- About This Guide
- Welcome to Cisco NAC Guest Server
- Installing Cisco NAC Guest Server
- System Setup
- Configuring Sponsor Authentication
- Configuring Guest Policies
- Configuring Sponsor User Groups
- Integrating with Cisco NAC Appliance
- Configuring RADIUS Clients
- Guest Activity Logging
- Guest Account Notification
- Customizing the Application
- Configuring Hotspots
- Backup and Restore
- Replication and High Availability
- Management, Logging and Troubleshooting
- Licensing
- Sponsor Documentation
- API Support
- Open Source License Acknowledgements
Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0
Chapter: Replication and High Availability
Replication and High Availability
To provide high availability, the Cisco NAC Guest Server solution can be configured so that a pair of units synchronize their databases between one another. This provides the ability for the solution to carry on working in the event of loss of connectivity or failure to a single unit.
High availability is provided in an active/active scenario, where both Cisco NAC Guest Servers can service requests from sponsors or network devices at the same time. This capability also allows you to load balance the requests between the boxes.
Replication is only supported between Guest Servers running identical versions of software.
Note 
Not all system settings are replicated. Refer to Data Replication to review which settings are not replicated.
Note For load balancing, external load balancers must be used to load balance the web interface. RADIUS requests can also be load balanced via external load balancers or by configuration.
This chapter includes the following sections:
Configuring Replication
Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device is first set to delete all of its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial installation of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation.
Note If one of the Guest Servers is not active, the replication configuration pages can take up to 60 seconds to load. This is because the Guest Server checks the other box multiple times to verify that it can be reached.
Once one of the Guest Servers has received a copy of the data from the other device, they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server.
All communication between the Cisco NAC Guest Servers is encrypted using SSL and runs over TCP destination port 5432. In addition, ports 443 and 80 are used and they should be left open.
Note As sensitive information is not flowing through HTTP, you can leave the ports 443 and 80 in open state.
Step 1 Before starting, create a backup of the Cisco NAC Guest Server by following the instructions in Configuring Backup and Taking Snapshots.
Step 2 From the administration interface, select Server > Replication Settings as shown in Figure 14-1.
Figure 14-1 Replication Settings
Step 3 Enter the Remote Guest Server address. This is the address of the Cisco NAC Guest Server with which you want to enable replication.
Step 4 Enter a Shared Secret and confirm it. The shared secret is used to authenticate with the other Cisco NAC Guest Server. The shared secret must be identical on both Guest Servers.
Step 5 Set the Replication Mode to On.
Note Setting a server's Replication Mode to Off removes it from the replication process. There is no method of re-synchronizing a Server without starting the process from the beginning and by doing this you will lose non-replicated data on one of the servers. Only turn Replication off if you are making a standalone system.
Step 6 Turning on replication enables you to specify whether this server is the one that contains the current data or copies data from the other server:
a. Choose This node contains the data if you want to keep the data from this server.
b. Choose This node will copy data from other node if you want to erase all data on this server and copy the data from the other server.
 |
Warning Make sure you set these correctly on each server, otherwise you will lose data. Cisco strongly recommends to create a backup before running this procedure.
|
Step 7 Click Save Settings to save the settings and turn on the replication process.
Step 8 Access the administration interface of the other Guest Server, and repeat Step 1 through Step 7 to set up replication on the other server.
Configuring Provisioning
When the Cisco NAC Guest Server provisions accounts in other systems, such as the Clean Access Manager, only one of the Guest Servers should be performing the provisioning at a time.
One Cisco NAC Guest Server should be defined as the primary and the other as the secondary. The server set to primary performs the provisioning by default. If a server is set to secondary, it checks the status of the primary server. If it fails to contact the primary server three times, then it performs the provisioning. This process happens every minute when the provisioning service runs.
Step 1 From the administration interface, select Server > Replication Settings as shown in Figure 14-1.
Step 2 Select the Provisioning to be Primary if you want this server to perform the provisioning under normal conditions. Select Secondary if you want this server to only perform provisioning if the primary server cannot be contacted.
Step 3 Click the Save button.
Note Only one of the servers should be set to Primary, otherwise you may get errors when creating or deleting accounts twice.
Replication Status
At any time, you can check the replication status of the Cisco NAC Guest Servers. This is useful to make sure replication is happening as set.
Step 1 From the administration interface, select Server > Replication Settings as shown in Figure 14-1.
At the bottom of the page is the Replication Status. You can check the status of replication and the number of changes need to be replicated between each device.
Recovering from Failures
Network Connectivity
When the network connectivity between two Cisco NAC Guest Servers fails, the Cisco NAC Guest Servers stores up to 1GB of changes. When connectivity is restored, if the amount of changes is less than 1GB, they will synchronize with each other. If more than 1GB of changes are stored, the Cisco NAC Guest Server stops the replication process and you need to setup replication again.
Device Failure
If one of the Cisco NAC Guest Servers in a replication pair fails and needs to be replaced, you should set up replication with the working server and the data will be re-synchronized to the device.
|
Warning Do not restore the failed unit from a backup. Restoring from a backup onto one unit in a replication pair will result in not having an exact replica of the data on both servers. Refer to Restoring Backups for additional details.
|
Step 1 From the administration interface, select Server > Replication Settings as shown in Figure 14-2.
Figure 14-2 Resetting Replication
Step 2 Set Replication Mode to Off on both of the Guest Servers.
Step 3 Follow the instructions in Configuring Replication and ensure that you set the working server as the one with the data.
Deployment Considerations
Connectivity
The Cisco NAC Guest Servers need to be provided with IP connectivity between the units. Cisco recommends making the network path between the devices resilient so that synchronization can always be performed. However, if the devices are disconnected, they will continue to function and store changes until they are connected back together and can re-establish communication. At this point, they will re-synchronize databases.
Depending on the amount of activity that your Cisco NAC Guest Server performs, you need to make sure that there is enough bandwidth between the servers to enable synchronization to occur as rapidly as possible.
You can test connectivity by creating a large number of accounts and watching how quickly the appliances synchronize by watching the status on the replication as shown in Figure 14-1.
Load Balancing
Web Interface
Sponsor and Administration sessions can be serviced by both Cisco NAC Guest Servers when configured for replication. However, the Cisco NAC Guest Server does not perform any redirection or automatic load balancing of requests.
To enable requests to both Cisco NAC Guest Servers concurrently, you must implement an external load balancing mechanism. Options include:
•Network based Load Balancing—such as the Cisco CSS, GSS, CSM or ACE platforms. The only requirement for the load balancing is that clients are serviced by the same Cisco NAC Guest Server for their entire session. Individual requests cannot be load balanced between servers, as the Cisco NAC Guest Server does not replicate sponsor/admin session information to reduce bandwidth requirements. The most common method of achieving this is sticking connections to the same Cisco NAC Guest Server based upon source IP address.
•DNS Round robin—Using your DNS server, configure the domain name of the Cisco NAC Guest Server to return both IP addresses for the Cisco NAC Guest Server in a round-robin configuration. This method does not provide failover between appliances in the event of a failure.
•Publishing multiple URLs—This allows each user to choose the server they want to use.
RADIUS Interface
The RADIUS interface on either Cisco NAC Guest Server can take requests at the same time.
Cisco recommends configuring one Cisco NAC Guest Server to be the primary for some RADIUS clients and the other Cisco NAC Guest Server to be the primary for the other RADIUS clients. For failover, the RADIUS clients can have secondary RADIUS servers defined as the other Cisco NAC Guest Server, if they support configuration of two servers.
Data Replication
NAC Guest Server Replication replicates data that is stored in the database between replication pairs.
The following information is not replicated and is locally defined on each NAC Guest Server.
•Email settings—SMTP Server
•Templates—Logo
•Network settings
–Domain name
–Hostname
–IP Address
–Subnet mask
–Default gateway
–Nameserver 1
–Nameserver 2
•Date/Time settings
–Date
–Time
–Locale
–NTP server 1
–NTP server 2
•SSL settings
–SSL Certificate
–Root CA Certificate
–Private key
•SNMP settings
•Backup
–Max number of backups
–Frequency
–FTP settings
•Licensing—License file
•Hot Spot—All files
Feedback