UDP Radius Client - Need Source IP

Question

Hi, 
&nbsp;  
&nbsp; I'm presented with an interesting problem that I'm not sure how to attack.  
&nbsp;  
&nbsp; I'm working with a RADIUS environment (UDP ports 1812,1813)and trying to setup some basic load balancing between multiple RADIUS servers.  
&nbsp;  
&nbsp; We have everything working -- but the problem we're seeing right now is that the RADIUS servers are seeing the source IP of the F5 device, rather than the actual source server.  
&nbsp;  
&nbsp; This is a bad thing as it affects our RADIUS authentication and logging capabilities. 
&nbsp;  
&nbsp; Does anyone know how we could keep that source IP address to allow the RADIUS server to see/use it?  
&nbsp;  
&nbsp; Thanks.

dennypayne · Answer

Hi, 
&nbsp;  
&nbsp; Since the LTM preserves client source address by default, you likely have the LTM set up in a SNAT or "one-armed" configuration.  If you are in a flat network, without SNAT, the packets will take an asymmetric path as I described in this post: Click here. 
&nbsp;  
&nbsp; iRules can insert headers, but since there's no way to do an X-Forwarded-For header for RADIUS that I'm aware of (like there is for HTTP), your only choice may be to rearchitect the network such that the LTM is the default gateway for the RADIUS servers and you can remove the SNAT and go back to the default of preserving client source IP. 
&nbsp;  
&nbsp; Denny 
&nbsp;  &nbsp;

Forum Discussion

UDP Radius Client - Need Source IP

1 Reply

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

iRule based RADIUS Client Stack

iRule based RADIUS Health Monitor Builder

iRule based RADIUS Server Stack

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

RADIUS update NAS-IP-Address