HAProxy Enterprise now supports RADIUS load balancing with its new HAProxy Enterprise UDP Module. This blog post addresses some of the challenges with implementing RADIUS load balancing and how you can get started with the new module below.
What is RADIUS load balancing?
RADIUS (Remote Authentication Dial-in User Service) is a protocol that communicates over UDP to manage authentication requests for users accessing a network. RADIUS load balancing distributes these authentication requests across backend servers, ensuring the high availability of your RADIUS services.
By preventing servers from becoming overwhelmed, RADIUS load balancing reduces the chance of blocked user authentication, which can lead to significant operational disruption. This makes RADIUS load balancing ideal for organizations that require robust access control mechanisms.
What are the challenges in implementing RADIUS load balancing?
RADIUS load balancing presents challenges due to its reliance on the UDP protocol, which offers no error correction or retransmission of lost packets for authentication requests. Therefore, it’s important that your load balancer be capable of maintaining a reliable delivery rate and high throughput while managing large volumes of RADIUS traffic.
Furthermore, integrating RADIUS load balancing within a network of other load balancers adds another layer of complexity to your infrastructure. A flexible load balancer capable of unifying UDP, TCP, and HTTP under a single solution can address this added layer of complexity.
As with other protocols, RADIUS load balancing requires health checks and failover mechanisms to ensure high availability, conduct maintenance, and redistribute traffic should a server fail. It’s imperative that your load balancer be capable of monitoring the health of backend servers to maintain authentication availability.
Lastly, as the number of users and devices in a network increases, your load balancer must be capable of seamlessly distributing traffic to new backend servers as you add them to support increasing traffic loads.
HAProxy Enterprise UDP Module
The HAProxy Enterprise UDP Module addresses the challenges that come with RADIUS load balancing (and more!). The module empowers users by exposing UDP services through HAProxy Enterprise, making it a suitable load balancer for time-sensitive applications such as RADIUS authentication traffic.
With the addition of the UDP module, HAProxy Enterprise unifies TCP, HTTP, and UDP load balancing. This single-solution approach to Layer 4 and Layer 7 load balancing reduces infrastructure complexity.
HAProxy is the world’s fastest and most widely used software load balancer and the G2 category leader in API management, container networking, DDoS protection, web application firewall (WAF), and load balancing. HAProxy Enterprise elevates the experience with authoritative support, robust multi-layered security, and centralized management, monitoring, and automation with HAProxy Fusion. HAProxy Enterprise and HAProxy Fusion provide a secure application delivery platform for modern enterprises and applications.
HAProxy Enterprise UDP Module offers faster and more reliable load balancing than other software load balancers. It also delivers dynamic traffic routing as you scale out your backend servers to handle increasing authentication requests. Health checks to monitor server health and the capability to conduct server maintenance without service interruption ensure the constant availability of your RADIUS services.
Getting started: RADIUS load balancing with HAProxy Enterprise
To get started with RADIUS load balancing, we’ll first have to install the UDP module. Our UDP module documentation covers everything you need to know about installing the UDP module. Once the UDP module is installed, you can configure RADIUS load balancing.
Configuring RADIUS load balancing
Now, configure the UDP module to load balance RADIUS authentication traffic. The UDP module listens on configured ports, balances requests to RADIUS servers, and returns responses to clients.
Use the example configuration below to start load balancing RADIUS traffic. In the example, the load balancer routes traffic to both RADIUS authentication (1812) and accounting (1813) ports:
| udp-lb radius-auth | |
| dgram-bind 192.168.56.25:1812 | |
| balance source | |
| option udp-check | |
| server srv1 10.10.10.10:1812 check | |
| server srv2 10.10.10.20:1812 check | |
| server srv3 10.10.10.30:1812 check | |
| udp-lb radius-accounting | |
| dgram-bind 192.168.56.25:1813 | |
| balance source | |
| option udp-check | |
| server srv1 10.10.10.10:1813 check | |
| server srv2 10.10.10.20:1813 check | |
| server srv3 10.10.10.30:1813 check |
Understanding the configuration
The configuration is broken up into two sections using the keyword udp-lb and named radius-auth and radius-accounting.
We’ve specified a dgram-bind on all interfaces on port 1812 for radius-auth and port 1813 for radius-accounting. Make sure the ports you specify match the ports defined in your RADIUS configuration (1812 and 1813 are the RADIUS defaults).
The load balancing algorithm is set to source so that requests from the same client are routed to the same server (if the target server is healthy, and the number of running servers is not changed).
The option udp-check directive enables UDP-based health checks. The check keyword on each server line activates these health checks for individual servers, verifying their availability and health.
We did not set proxy-requests so that all requests from the same client are routed to the same server (unless the client session has expired or the server is no longer available). Similarly, we did not set proxy-responses as the RADIUS server will provide multiple responses.
Finally, we listed three servers that will receive the load balanced RADIUS traffic. These servers have been configured as RADIUS servers and will respond to requests on the default RADIUS ports 1812 and 1813.
Now you’re ready to load balance RADIUS traffic!
RADIUS accounting
Your RADIUS servers should be aware of the load balancing setup, especially for accounting purposes. RADIUS accounting involves two types of messages: session start and session end. The RADIUS servers should be able to log this information in a shared storage (usually a database) to maintain consistency and accuracy in accounting records. Without this shared storage, you might face discrepancies in accounting data due to the distributed nature of the load balancing.
Conclusion
With HAProxy Enterprise and the UDP Module, it’s easy to set up load balancing for your RADIUS servers and benefit from high-performance load balancing with reliable UDP packet delivery in a unified solution. Health checks and failover enable high availability, while dynamic backends and traffic routing enable seamlessly scalable infrastructure.
For more information on RADIUS load balancing and the directives used for configuration, visit our UDP module documentation page on load balancing UDP with HAProxy Enterprise.
We’re working on ways to make configuring RADIUS load balancing even easier. Subscribe to our newsletter below to stay tuned for the latest updates.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
