Security

What load distribution are you generally seeing when using the load balancing feature on Aruba controllers towards Clearpass servers?

I'm looking at a system with two supposedly equal Clearpass C3000V servers. One is getting allmost 3 times as many requests as the other one. Both are subscribers in the same cluster. I have tried to figure out why this is happening, but I cannot find anything too obvious. Any tips in what to look for? 

One server group is configured on the Aruba controller with the two Clearpass servers as entries. Load Balance checkbox is checked.

Others will comment on their individual experiences.  How it is supposed to work is here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Enabling-Authentication-Server-Load-Balancing-Functionality/ta-p/180580

What version of AOS are you using as the method for selecting a auth server changed. There is a few sections in the User Guide which will give you some clues (i'm looking at 6.5.x).

Starting from ArubaOS 6.5.1.0, the ArubaOS controllers perform load balancing of RADIUS accounting packets that are destined to external RADIUS Servers to ensure accounting load gets distributed. 

Server-load-balancing is enabled for RADIUS accounting packets as well. Previously, the controller used the first authentication server in the server group list. The remaining servers in that group would be used in sequential order only when an authentication server was down. Thus, the controllers performed fail-over instead of load balancing of authentication servers.

The load balancing algorithm computes the expected time taken to authenticate a new client for each authentication server and chooses that authentication server with the shorted expected authentication time.

The load balancing algorithm maintains re-authentication stickiness, meaning that at the time of reauthentication, the request is forwarded to the same server where it was originally authenticated.

Is there any latency or delay with the under utilised auth server? If you run the below command it will give you some stats on each auth server

#show aaa authentication-server radius statistics

zalion0,

That note just states that Radius Accounting packets will also be load balanced.  The radius authentication method was not changed.

Yes, when issuing the command "show aaa authentication-server radius statistics" we see that CPPM-02 has a lot higher "ExpAuthTim". I believe the controller is using this attribute to distribute the load. Hence, this server gets a fair amount of less requests.

We have looked at the CPPM server load in vsphere, but at first glance we couldn't find any significant difference in performance.

The CPPM VM's run on different ESX hosts. We have tried to "cross-switch" the physical ESX host where the VM runs, but this didn't yield any noticeable effect in the load distribution.

RADIUS Server Statistics
------------------------
Server Acct Rq Raw Rq PAP Rq <-> ExpAuthTm Uptime
------ ------- ------ ------ <-> --------- ------
CPPM-02 28942   103379  1392 <-> 638       21:17:27
CPPM-03 551755 2980100 38753 <->  34       15:6:42 

 The controller uses AOS 6.5.3.6

Both of your controllers have different uptimes so their statistics are markedly different.  If they both had the same uptime, there might be a better comparison.

Also, the requests to individual servers will never be exactly the same, because once a device uses an authentication server, it always reuses that server in subsequent authentications.  If one server is taking significantly longer to process authentications than another, new authentications will go to the server with the least latency.  Also, both servers would need to be in all of the same server groups on that controller so that things might be somewhat even.  There are many variables involved.