PrivacyIDEA Cluster (High Availability)

Hi all,

I’m totally new to PrivacyIDEA, and excuse me if my question is too broad.

We are thinking of setting up PrivacyIDEA in our environment and getting Cisco ASA amongst other systems to authenticate to it, however we want to make sure that the system is highly available in case one of the PI servers goes down. I saw this great howto by wwalker on how to set it up but what I’m want to know is how do I get our systems to communicate with those two PI servers? Does PI has builtin method for that? Do I configure it on the DNS level with round robin? Do I use a load balancer? What is the recommended way? (Again I know it’s too broad but we’re open for ideas)

Many thanks!

Install the privacyidea-radius package, assuming you’re running on Ubuntu or similar deb. Then configure your ASA to perform VPN auth via RADIUS. The exact way to do that on the ASA, I’m unsure of.

Thanks very much wwalker!
We are running PI on Ubuntu but we are planning on using NPS
What I want to know is how can I configure those two PI servers to be seen as one (in case one went down)

Hello yara,

we use HAproxy for this purpose.

This runs on our radius server and has the four PI instances as its source (we do the same for the web frontend).
If you want to have the radius server redundant as well, then you can configure the HAproxy on both radius servers.

If the ASA can’t manage two Radius servers, then I recommend you to use KeepAlive (successor of Pacemaker) on both Radius servers and pass the IP around if one is down.

Recommendation is however like with the Galera cluster here also rather then three servers to have.

3 - Galera MariaDB cluster as database cluster
2-X - PrivacyIDEA server with ProxySQL
2 - Radius server with HAproxy or 3 - Radius server with HAproxy and Peacemaker