Avatar of Cole Schmidt
Cole Schmidt
Flag for United States of America asked on

Clustering Questions

I have read a whole bunch of TechNet articles, and various tech pages about clustering, and I am now confused.

I am new to clustering.

I am trying to setup NPS failover.

Our NPS runs on Server 2008 Ent. R2 SP1.  That box also runs ADDS, ADCS.

NPS is functioning as a RADIUS server that provides authentication for Cisco AnyConnect VPN clients, and also enforces Wireless connection policies.

Our RADIUS wireless APs use Certs both client and server side (WPA2-ENT, PEAP)

The fact that we have a CA really complicates things... this would be very simple without the CA, as I could just install NPS on two boxes with identical config, and configure a second RADIUS server on the ASA.

I guess I need clarification on something....  I have heard of CA clustering... is that the same as Clustering a whole server?

If we need to do an entire server as a cluster, I am confused about the storage setup...  do the cluster nodes share the same OS partition?  I am assuming for a cluster to be fault tolerant, their partitions would have to run on some sort of redundant storage SEPARATE from the cluster nodes, right?

Please enlighten me...

We do not have a SAN, or any kind of iSCSI at the moment, that is about a year off for us.
Microsoft Server AppsMicrosoft Server OS

Avatar of undefined
Last Comment
kevinhsieh

8/22/2022 - Mon
arnold

Radius should not be clustered, most devices support the functionality of multiple servers
I.e. server a
Server b
Server c
Server e
With that the functionality includes marking a server that does not respond to requests as "dead"

Depending on the number of clients, one can control the distribution of the requests to servers by altering the order or combinations of servers.

Similarly for a CA, ne usually has one offline root server which signed a pair of subordinate issuing CAs' Certificate. The issuing CAs will share the storage where certificates are stored, while each signs the submitted request.  The root CA (these days can exist as a VM) and need ney be brought back when the subordinate CA's certificate are due for renewal or when it's own certificate needs renewing.
Root CA 20 year cert. subordinate CAs 5 year cert.
client certificates are one year certs.
ASKER CERTIFIED SOLUTION
kevinhsieh

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy