2

I have a large network with more than 1500 PCs and 9000 user accounts in a university. We have classified users in 5 groups and are sharing bandwidth among them using MikrotiK's hotspot with NTTAC accounting backend. We not only control the maximum bandwidth/rate for a user but the time limitations to access the internet as well. In this scenario, all users are authenticated against a Active Directory server which runs NTTAC+ as well. We have set the gateway to a MikrotiK machine with a hotspot page which adds a forwarding rule for user traffic after hotspot authentication (although user credentials are the same and are authenticated against AD server, we do not use SSO to enable the user to work with local services when required and save his/her internet access time limits)

Now, the are some problems: 1 - It seems that with this large number of users, MikrotiK has been pushed to its edge and can not handle such a traffic with hotspot. 2 - the AD server has became a point of failure and its absence result in loosing many services.

Hence, I'm looking for best practices for large scale user-based (not pc/ip based) bandwidth sharing/shaping without having a single point of failure.

Hosm
  • 53
  • 1
  • 9

1 Answers1

2

Solving your AD single point of failure is actually pretty easy. We solved it by putting AD LDAP services (what I presume NTTAC+ uses) behind a load-balancer. That way we have 4 servers providing LDAP auth services from a single IP address, and the load-balancer makes sure that dead servers are removed. We're also a university (20K students, 3K staff) and these four servers are constantly hit by our SSO application, and just work. Even during Patch Tuesday when they all get rebooted.

One caveat is that you may need to put a new SSL certificate into those servers that includes the IP/DNS-name of the IP//name of the loadbalancer IP.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Dear sysadmin. Thanks for your reply. What I meant of load-balancing is not balancing the load of authentication but to share outgoing internet among users in terms of rate-limiting and limiting access times. However I liked your practice of balancing auth. very much. How you've done this? what your load-balancing runs? – Hosm Feb 24 '11 at 01:49
  • @Hosm We use an F5 BigIP hardware load-balancer, which also does a LOT of other things for other services (such as handle SSL offloading). The same kind of thing can be done using free load-balancers like haproxy. – sysadmin1138 Feb 24 '11 at 01:54
  • Tnx sysadmin. What about my major question on user-based rate/time limiting of internet access? – Hosm Feb 24 '11 at 01:58
  • @Hosm I don't have any inputs there, we run wide open. But your existing SPOF I can help with. – sysadmin1138 Feb 24 '11 at 01:59
  • sysadmin, how do you prevent bandwidth killing apps and users from dedicating your bandwidth? for example a user with getbot software might create hundreds of http downloading sessions. – Hosm Feb 24 '11 at 02:24
  • @Hosm That's for our network engineers, and I'm not one here. It helps that the bandwidth out of our WLAN is smaller than the WAN bandwidth. – sysadmin1138 Feb 24 '11 at 02:28