Yubico Forum
https://forum.yubico.com/

More information about YubiRadius cluster/synchronization
https://forum.yubico.com/viewtopic.php?f=5&t=881
Page 1 of 1

Author:  kevbo [ Tue Nov 27, 2012 9:07 pm ]
Post subject:  More information about YubiRadius cluster/synchronization

I've posted similar to this in a different thread, but I wanted to bring this back up to the top level.

I'm trying to set up a cluster of YubiRadius appliances, and I'm having trouble. I don't think I fully understand how the Synchronization setup is supposed to work.

I have three physical machines. I would like to think that that would be good for a synchronization setup: one appliance on each machine, for a total of 3. If 1 goes down, the other 2 keep operating.

Out of this box, this doesn't work. One of the 3 goes down, and the other two start denying all requests. Why? Can it be made to work with 3? I don't understand why you consider 4 a minimum, and why 4 would be better than 3.

In a previous thread, you've recommended 4 machines. Why do you recommend 4? If you have 4 running, how many can be _failed_ and have authentication still proceed?

You have also mentioned changing a setting called Sync Level. I don't understand what this setting does.

You've mentioned editing ykval-config.php to set the Sync Level. Upon looking at this, I'm not sure that's enough. The .php file seems to default to 60%, so at the very least, for the 25% setting to stick, I'd need to edit both the file and the template, right? If this is a setting that users will need to change, maybe it should be in the GUI?

Thanks,

Kevin

Author:  kevbo [ Thu Nov 29, 2012 3:13 pm ]
Post subject:  Re: More information about YubiRadius cluster/synchronizatio

Please, Yubico, some help?

Thanks,

Kevin

Author:  samir [ Fri Nov 30, 2012 10:07 am ]
Post subject:  Re: More information about YubiRadius cluster/synchronizatio

Hello,

An easy way to configure synchronization between multiple YubiRADIUS instances is to first start with a fully configured instance of YubiRADIUS (but without Synchronization configured on it) and make copies of the same VM (after powering down the VM). After making copies, start the cloned VMs one by one, change their IP address and add Synchronization configuration on each instance. This will ensure you will start with identical state of internal counters and YubiKey mappings on all synchronized instances of YubiRADIUS.

If you are planning to deploy 3 instances you can use the three servers by setting sync level to 33%; so if one server fails the remaining two can handle the authentication requests.

FYI, we do not recommend customers to use only two servers for synchronization because if one server is down all data will be centralized to the remaining server and if that server also fails then there will be data loss. If you still interested in using 2 servers for synchronization, please set the sync level to 0. We recommend you to have four servers and set the sync level to 25% to have each request sync with at least one other server. (And for three servers set the sync level to 33%).

BTW, you can set the default sync level required in the validation server(s) but the clients can also tell the servers how much sync they require per request.

For more information about the sync level, please refer the link: http://code.google.com/p/yubikey-val-server-php/

Here are the step by step instructions to set the sync level in YubiRADIUS:

1) SSH to the YubiRADIUS

2) Navigate to the location '/etc/ykval'

3) Open the ykval-config.php file

# vim ykval-config.php

4) Set the $baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] value as per your requirement (33 in case of 3 servers)

5) Save the file

6) restart the ykval sync service

/etc/init.d/ykval-queue restart

If you have further questions, please feel free to write to “support @yubico.com”.

Hope this helps!

Best regards,
Samir.

Author:  kevbo [ Fri Nov 30, 2012 3:38 pm ]
Post subject:  Re: More information about YubiRadius cluster/synchronizatio

I've previously responded to a similar post...

First, it appears that editing the _template_ file is also required if changing the setting is to survive any other changes made in the web GUI (like, changing a secret or a host). Am I right on that?

Also, you refer to a web page, but I didn't find any information on that page on sync level. I looked through the wiki pages linked on that page and also didn't find anything. Am I missing something?

I'm uncomfortable because I really don't understand how this syncing works. I also don't understand why you recommend 4, instead of 3.

This is too critical a piece of my system for me to not understand what it is doing, to be relying on setting what is basically a magic number.

Please help.

Thank you,

Kevin

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/