Forum Discussion
Fred_Slater_856
Feb 25, 2015Historic F5 Account
There are at least 2 solutions. One is to build and iRule and attach it to your iApp. See https://devcentral.f5.com/wiki/iRules.RADIUS__avp.ashx. The other is to apply the radius profile with persist-avp (tmsh create ltm profile radius radiusLB persist-avp). I believe the latter is more straightforward, but unfortunately it is not implemented in the f5.radius iApp in 11.5.
- Martin_SharrattFeb 26, 2015NimbostratusThanks very much for this Fred. I'll hopefully be able to give this a try over the next few days. Will post back with results.
- Fred_Slater_856Feb 26, 2015Historic F5 AccountThanks Martin. I am especially interested in the result when you create the following attribute-value persistence profile and attach it to your radius virtual. ltm profile radius my_radiusLB { defaults-from radiusLB persist-avp 1 }
- Fred_Slater_856Mar 10, 2015Historic F5 AccountMartin- I set up a pair of freeradius servers, and am successfully load balancing between them with datagram-load-balancing and no radiusLB profile using a simple radtest -t mschap test. Is there an easy way for me to reproduce the problem you are seeing?
- Martin_SharrattMar 18, 2015NimbostratusSorry it's taken so long but I've finally found some time to replicate the live config on a test F5 and radius servers and guess what, I've found the same. Using radtest I get successful load balancing using the out-of-the box Radius iApp. I then tried this using radtest on the production setup with the same result. I'm starting to think the problem is with the client rather than the F5.
- Fred_Slater_856Mar 18, 2015Historic F5 AccountInteresting. A tcpdump comparison might help to see the difference between clients. Post what you find!
- Martin_SharrattMar 18, 2015NimbostratusFunnily enough I've just done that - snippet below but some explanation: The clients are xxx.xxx.148.104 - radtest client xxx.xxx.4.22 - Wireless controller xxx.xxx.127.136 and xxx.xxx.127.137 radius servers The snippets show the radtest evenly balancing between 127.136 and 127.137 and the wireless controller sticking with 127.136. But they also show a different conversation. Radtest is request-accept whereas wireless controller is request-challenge. Radtest 16:28:09.379760 IP xxx.xxx.148.104.36980 > xxx.xxx.127.137.radius: RADIUS, Access Request (1), id: 0xc3 length: 129 16:28:09.423763 IP xxx.xxx.127.137.radius > xxx.xxx.148.104.36980: RADIUS, Access Accept (2), id: 0xc3 length: 108 16:28:09.476146 IP xxx.xxx.148.104.33658 > xxx.xxx.127.137.radius: RADIUS, Access Request (1), id: 0x25 length: 129 16:28:09.520002 IP xxx.xxx.127.137.radius > xxx.xxx.148.104.33658: RADIUS, Access Accept (2), id: 0x25 length: 108 16:28:09.571885 IP xxx.xxx.148.104.36908 > xxx.xxx.127.137.radius: RADIUS, Access Request (1), id: 0x9a length: 129 16:28:09.622050 IP xxx.xxx.127.137.radius > xxx.xxx.148.104.36908: RADIUS, Access Accept (2), id: 0x9a length: 108 16:28:09.672034 IP xxx.xxx.148.104.52581 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xa6 length: 129 16:28:09.735969 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.52581: RADIUS, Access Accept (2), id: 0xa6 length: 108 16:28:09.785786 IP xxx.xxx.148.104.46811 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x90 length: 129 16:28:09.848582 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.46811: RADIUS, Access Accept (2), id: 0x90 length: 108 16:28:09.898973 IP xxx.xxx.148.104.59440 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x01 length: 129 16:28:09.966831 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.59440: RADIUS, Access Accept (2), id: 0x01 length: 108 16:28:10.017341 IP xxx.xxx.148.104.50813 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x6b length: 129 16:28:10.096661 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.50813: RADIUS, Access Accept (2), id: 0x6b length: 108 Wireless controller 16:28:09.300715 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x80 length: 233 16:28:09.304035 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0x80 length: 694 16:28:09.384252 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x65 length: 371 16:28:09.389125 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0x65 length: 123 16:28:09.399242 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xb7 length: 233 16:28:09.401953 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0xb7 length: 101 16:28:09.414063 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xbc length: 286 16:28:09.416874 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0xbc length: 133 16:28:09.425249 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xac length: 334 16:28:09.468703 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0xac length: 149 16:28:09.474853 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x66 length: 270 16:28:09.478196 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0x66 length:
- Martin_SharrattMar 18, 2015NimbostratusI've just looked again at radtest - using -t eap-md5 I get the challenge response but it still seems to be balancing evenly
- Martin_SharrattMar 18, 2015NimbostratusBut I can't copy the snippet in (website thinks it's spam): 17:07:29.534774 IP xxx.xxx148.104.36928 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0xfd length: 135 17:07:29.536893 IP xxx.xxx127.136.radius > xxx.xxx148.104.36928: RADIUS, Access Challenge (11), id: 0xfd length: 64 17:07:29.586124 IP xxx.xxx148.104.54443 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0x0a length: 135 17:07:29.588386 IP xxx.xxx127.136.radius > xxx.xxx148.104.54443: RADIUS, Access Challenge (11), id: 0x0a length: 64 17:07:29.635644 IP xxx.xxx148.104.42466 > xxx.xxx127.137.radius: RADIUS, Access Request (1), id: 0x17 length: 135 17:07:29.637776 IP xxx.xxx127.137.radius > xxx.xxx148.104.42466: RADIUS, Access Challenge (11), id: 0x17 length: 64 17:07:29.684637 IP xxx.xxx148.104.56138 > xxx.xxx127.137.radius: RADIUS, Access Request (1), id: 0x24 length: 135 17:07:29.687030 IP xxx.xxx127.137.radius > xxx.xxx148.104.56138: RADIUS, Access Challenge (11), id: 0x24 length: 64 17:07:29.734239 IP xxx.xxx148.104.56163 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0x31 length: 135 17:07:29.736436 IP xxx.xxx127.136.radius > xxx.xxx148.104.56163: RADIUS, Access Challenge (11), id: 0x31 length: 64 17:07:29.784118 IP xxx.xxx148.104.51052 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0x3e length: 135 17:07:29.787326 IP xxx.xxx127.136.radius > xxx.xxx148.104.51052: RADIUS, Access Challenge (11), id: 0x3e length: 64