Recommended Deployment of GreenRADIUS for High Availability (HA)

Introduction

To avoid a single point of failure, GreenRADIUS offers a synchronized mode of operation for High Availability.

In this mode, the following updates are synced across configured GreenRADIUS instances:

• Token secrets
• User-token assignments
• Token states
• User single-factor/two-factor settings
• User-PINs

Because GreenRADIUS is designed for High Availability, depending on the overall network topology, the GreenRADIUS deployment requires a minimum of three (3) servers configured in synchronized mode so the HA cluster can operate and authenticate login attempts even if one of the GreenRADIUS servers is for some reason out of service or unreachable (and thus failing to authenticate.)

This document describes the steps to set up multiple GreenRADIUS servers in synchronized mode for high availability.

Pre-Requisites

• GreenRADIUS servers configured in synchronized mode
• Ensure the following information is identical on all of the GreenRADIUS servers:
  • Token secrets
  • Domain name(s)
  • LDAP configurations
  • Users
  • Validation server settings
• TCP Port 443 must be kept open and reachable through firewalls for all configured GreenRADIUS servers

GreenRADIUS Sync Configuration

Navigate to the GreenRADIUS web admin interface, Global Configuration > Synchronization.

Determine an alpha-numeric string to be used as the "Server Secret (shared encryption key)" on all GreenRADIUS servers. Enter the secret twice in the "Local Server Configuration" section, then click the "Update" button.

In the "Add Server" configuration section, add the IP address or hostname and the same server secret of another GreenRADIUS server, then click the Add button. Repeat this until all other GreenRADIUS instances havee been added.

For example, in the case of syncing three (3) GreenRADIUS servers, see below: