locked
Configure NLB on NPS Proxy Server in windows 2008 R2 RRS feed

  • Question

  • Hi,


    We have 2 NPS Proxy and 2 NPS Server and we have planned to implimet NLB cluster for NPS Proxy,  So RADIUS Client can use NLB IP address for communication rather than 2 NPS Proxy Address.


    We have configured NLB on the NPS Proxy Servers, But RADIUS Clients are unable to recognize the NLB IP.


    NLB details:-

    The Hosts are converged

    Default port rules are set

    Filtering mode - Multiple hosts

    Affinity - Single

    Load weight - Equal


    Can any one help?


    Thanks

    Saravanan

    Saturday, March 17, 2012 5:53 PM

All replies

  • Hi Saravanan,

    Thanks for posting here.

    If we already have NPS proxy server then no necessary to enable NLB service on it cos NPS proxy can make it on its own:

    Load Balancing with NPS Proxy
    http://technet.microsoft.com/en-us/library/dd197433(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Proposed as answer by Choakumchild Wednesday, May 17, 2017 1:09 PM
    Monday, March 19, 2012 10:53 AM
  • Hi Tiger,

    Thank you for the reply,

    But, we have old RADIUS clients which support only one RADIUS Proxy IP Address in its configurations, Hence to overcome the same we would like to point the RADIUS Client to NLB IP.

    Thanks

    Saravanan

    Thursday, March 22, 2012 8:21 AM
  • Hi,

    Thanks for update.

    It is OK to set to use single RADIUS proxy server in order to forward the traffics to RADIUS servers based on the priority and weight we defined :

    • Use NPS configured as a RADIUS proxy to load balance connection requests between multiple NPS servers or other RADIUS servers. For example, if you have 100 wireless access points, one NPS proxy, and three RADIUS servers, you can configure the access points to send all traffic to the NPS proxy. On the NPS proxy, configure load balancing so that the proxy evenly distributes the connection requests between the three RADIUS servers. This method of load balancing is best for medium and large organizations that have many RADIUS clients and servers.

    If we still want to failover proxy role by having multiple NPS proxy node serves with NLB settings then please first build NLB  with following the steps in the guide below and set the RADIUS necessary ports and protocol in NLB parameter . After that we need also syncing configurations between all proxy and RADIUS servers by exporting and importing configuration file or using NPS templates:

    Network Load Balancing Deployment Guide
    http://technet.microsoft.com/en-us/library/cc754833(WS.10).aspx

    Configure NPS UDP Port Information
    http://technet.microsoft.com/en-us/library/cc731277.aspx

    Export an NPS Server Configuration for Import on Another Server
    http://technet.microsoft.com/en-us/library/cc732059(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Thursday, March 22, 2012 8:50 AM
  • Hi,

    The NLB is configured and default port rule is set on the NLB,

    we are able to ping, take RDP usig the NLB IP, But RAIDUS Clients are unable to detect the RADIUS Proxy server using the NLB IP.

    And the configurations for the Proxy and RADIUS Server is synced.

    Thanks

    Saravanan


    Friday, March 23, 2012 6:55 AM
  • Hi Saravanan,

    Thanks for update.

    The address we assigned to RADIUS client device is in same IP segment where VIP is ? which mode did we set to use ?

    http://social.technet.microsoft.com/Forums/en/winserverClustering/thread/801d32d1-ae2a-4bc1-9c52-e9ffdb1ffe8c

    Thanks.

    Tiger LI


    Tiger Li

    TechNet Community Support

    Friday, March 23, 2012 8:00 AM
  • Hi Tiger,

    Thanks for update.

    The address we assigned to RADIUS client device is in the same IP segment where VIP is.

    which mode did we set to use ? - Unicast.

    Thanks.

    Saravanan

    Friday, March 23, 2012 12:23 PM
  • Hi Saravanan, the problem with having 2 nps proxies with nlb is that the request goes to the virtual ip but the response goes with one of the real addresses, i'm trying to go around this but i have not been able to. So only insecure clients that accept response packets from another ip that the one they requested will work.

    This is a pain in the ass, and there seems to be no way to bind the nps service to use the virtual ip for outbound traffic.

    Friday, August 31, 2012 5:28 AM
  • Hi Tiger, any comments on my previous post? please i'm stuck on this
    Monday, October 1, 2012 7:28 PM
  • Hi Saravanan,

    Thanks for posting here.

    If we already have NPS proxy server then no necessary to enable NLB service on it cos NPS proxy can make it on its own:

    Load Balancing with NPS Proxy
    http://technet.microsoft.com/en-us/library/dd197433(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    I have similar issue.

    I have configured Network Load Balancing (NLB) on 2 Hyper-V virtual servers (.166 and .158) for load balancing between servers, which originated a virtual IP (.167), which in turn works.

    These 2 virtual servers that are part of NLB are 2 servers with Network Policy Server that works as Radius server for wireless authentication that also works.

    I put an ARP entry on the Router for the NLB virtual IP to work, this way the 3 IP's ping.

    When connecting the PC to the AP if you put the IP of the virtual server (.166 and .158) as the destination ip, it works fine.

    If you put the NLB virtual IP it does nothing ... it stays connecting ... and then it fails, because the authentication is .166 and .158.

    Possibly the AP arrives at the virtual IP and does nothing because it does not authenticate. I think the solution would be when it reaches the virtual IP (.167) forward to .166 or 158 with different weights ..

    Does anyone know how to solve this ??

    I guess NPS Proxy isn't the best solution, because wih this, I have one point of failure...I want the NLB in case one of the servers fail..

    Wednesday, May 17, 2017 1:10 PM