Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

Loadbalancing NPS Radius Servers - tricks?

So I have set up our NPS Servers on our F5's, set up radius monitors, but the servers show red/not responding. A bit of reading says that NPS servers don't actively listen on port 1812, but do respond to queries.

I can change the monitor something basic (ICMP, UDP) and it turns green, so I know the server responds from the F5.

I'm curious if there's something more to do, or if an iRule is needed to actively check the server/response on this?

Rate this Question

Answers to this Question


iRules are usually not used for health monitoring.

why doesn't a regular RADIUS health monitor with correct username / password that causes an Access-Accept work? have you determined with tcpdump what response you get?

Comments on this Answer
Comment made 16-Jul-2018 by JohnP_WDG 74

I actually found that the issue was that the self-IP's for the networks weren't in place, and that got the authentication working. However, I have run into another problem.

I put in the credentials for an account, and it starts to work/auth to the NPS server successfully. However, after about 5-8 successful auths, the account gets locked out. No indication that there is a failure or any reason why it's happening.

I will run a TCPDump to see what's happening on the F5 later today.

Comment made 16-Jul-2018 by boneyard 5579

no useful log on the Radius server side either?

Comment made 17-Jul-2018 by JohnP_WDG 74

nothing descriptive. I'm using an IPS log viewer (since looking at the naked logs was extremely confusing), and it's showing that when I configure the account, it works great, but then locks out after a few attempts.

I have a case open with F5 TAC, and I actually suspect that the cause of this is that the F5 isn't fully syncing across both primary and backup, and is then locking the account out because not all the info is there.

Comment made 27-Jul-2018 by JohnP_WDG 74

I figured out this was my own stupidity and not related to the F5's... I had configured one of the NPS servers with all the proper info, and not the second, hadn't put the self-IP's as accepted RADIUS clients there. Once I got them mirrored, the issue resolved. Thanks everyone! :)

Comment made 4 months ago by Steven J. Williams 267

This monitor doesn't when doing MFA, when the F5 monitor sends the username and password its waiting for a token or a accept from something like a DUO push on a cell phone.

Comment made 3 months ago by boneyard 5579

i would expect most scripts / health monitors have a problem with those. in any case i would setup my RADIUS server to do MFA for the health monitor requests.