So I have set up our NPS Servers on our F5's, set up radius monitors, but the servers show red/not responding. A bit of reading says that NPS servers don't actively listen on port 1812, but do respond to queries.
I can change the monitor something basic (ICMP, UDP) and it turns green, so I know the server responds from the F5.
I'm curious if there's something more to do, or if an iRule is needed to actively check the server/response on this?
iRules are usually not used for health monitoring.
why doesn't a regular RADIUS health monitor with correct username / password that causes an Access-Accept work? have you determined with tcpdump what response you get?
I actually found that the issue was that the self-IP's for the networks weren't in place, and that got the authentication working. However, I have run into another problem.
I put in the credentials for an account, and it starts to work/auth to the NPS server successfully. However, after about 5-8 successful auths, the account gets locked out. No indication that there is a failure or any reason why it's happening.
I will run a TCPDump to see what's happening on the F5 later today.
no useful log on the Radius server side either?
nothing descriptive. I'm using an IPS log viewer (since looking at the naked logs was extremely confusing), and it's showing that when I configure the account, it works great, but then locks out after a few attempts.
I have a case open with F5 TAC, and I actually suspect that the cause of this is that the F5 isn't fully syncing across both primary and backup, and is then locking the account out because not all the info is there.
I figured out this was my own stupidity and not related to the F5's... I had configured one of the NPS servers with all the proper info, and not the second, hadn't put the self-IP's as accepted RADIUS clients there. Once I got them mirrored, the issue resolved. Thanks everyone! :)
This monitor doesn't when doing MFA, when the F5 monitor sends the username and password its waiting for a token or a accept from something like a DUO push on a cell phone.
i would expect most scripts / health monitors have a problem with those. in any case i would setup my RADIUS server to do MFA for the health monitor requests.