I am trying to load-balance HTTPS (Port 8443) into the same node as a completed RADIUS communication. It is critical for session consistency that the HTTPS session is load-balanced onto the same node as the RADIUS session. It is key to note that the RADIUS client address is different to the HTTPS client address. In order to to load-balance the HTTPS session, I first need to determine the Client-IP from the preceding accounting packets. I have attempted to achieve this using the following iRule: Code when CLIENT_DATA { This ensures that only the interim_update accounting packets are inspected by the iRule as these are most likely to contain the IP address of the client [RADIUS::code] == 4 identifies the packet as an accounting packet [RADIUS::avp 40] == 3 identifies the packet as an interim_update accounting packet if { [RADIUS::code ] == 4 and [RADIUS::avp 40] == 3 }{ set framed_ip [RADIUS::avp 8] log local0. "request from $framed_ip" persist uie "$framed_ip" 600 } } text Tying all this together on other Virtual Servers is a UIE persistence profile. The Persistence Profile has Match Across Services and Match Across Servers enabled. However, despite the persistence profile being attached to every VS, the HTTPS refuses to follow the persistence record that has been created by -- persist uie "$framedIP" 600.

If you instead use a universal persistence profile and enable 'Match Across Services', does that make a difference?

Thankyou for your suggestion, I forgot to mention that I already have "Match Across Services" and "Match Across Servers" enabled. I've updated my post to reflect this.

can you post the https virtual server's irule?

There is no iRule attached to the HTTPS virtual server. Just a Universal Persistence Profile with Match Across Services and Match Across Servers.

There is no iRule attached to the HTTPS virtual server. can you try? the irule should just be running persist against client ip.

Need help connecting RADIUS and HTTPS

18 Replies

Cory_50405
Noctilucent
Apr 23, 2014
If you instead use a universal persistence profile and enable 'Match Across Services', does that make a difference?
- tomHooper_13312
  Nimbostratus
  Apr 23, 2014
  Thankyou for your suggestion, I forgot to mention that I already have "Match Across Services" and "Match Across Servers" enabled. I've updated my post to reflect this.
nitass
Employee
Apr 23, 2014
can you post the https virtual server's irule?
- tomHooper_13312
  Nimbostratus
  Apr 23, 2014
  There is no iRule attached to the HTTPS virtual server. Just a Universal Persistence Profile with Match Across Services and Match Across Servers.
nitass
Employee
Apr 23, 2014
There is no iRule attached to the HTTPS virtual server.

can you try? the irule should just be running persist against client ip.
- tomHooper_13312
  Nimbostratus
  Apr 23, 2014
  Are you able to provide any suggestions? I not too sure how to start.
nitass
Employee
Apr 23, 2014
e.g.

when CLIENT_ACCEPTED { persist uie [IP::client_addr] }
- tomHooper_13312
  Nimbostratus
  Apr 23, 2014
  Alright ill try that. Does this get attached to a persistence profile? Or is it just attached as an iRule to the VS
nitass
Employee
Apr 23, 2014
is it just attached as an iRule to the VS

VS please :)

tomHooper_13312

Nimbostratus

Apr 23, 2014

So I have tried the suggested configuration and am still having trouble.

Running show ltm persistence persist-records all-properties I receive the following output: (Note I have truncated the output to preserve space)

-----output truncated-------
universal - 10.x.x.170:1813 - 10.x.x.172:any
----------------------------------------------------
  TMM           2                                   
  Mode          universal                           
  Value         141.x.x.115                      
  Age (sec.)    18                                  
  Virtual Name  /Common/ISE_Radius_account          
  Virtual Addr  10.x.x.170:1813                 
  Node Addr     10.x.x.172:any                  
  Pool Name     /Common/ISE_model_server            
  Client Addr   ::                                  
  Owner entry                                       

universal - 10.x.x.170:1813 - 10.x.x.172:any
----------------------------------------------------
  TMM           1                                   
  Mode          universal                           
  Value         141.x.x.115                      
  Age (sec.)    18                                  
  Virtual Name  /Common/ISE_Radius_account          
  Virtual Addr  10.x.x.170:1813                 
  Node Addr     10.x.x.172:any                  
  Pool Name     /Common/ISE_model_server            
  Client Addr   ::                                  
  Local entry  
  ===================================================
  -----output truncated-------
source-address - 10.x.x.170:1812 - 10.x.x.171:any
---------------------------------------------------------
  TMM           1                                        
  Mode          source-address                           
  Value         141.x.x.166                           
  Age (sec.)    145                                      
  Virtual Name  /Common/ISE_Radius_auth                  
  Virtual Addr  10.x.x.170:1812                      
  Node Addr     10.x.x.171:any                       
  Pool Name     /Common/ISE_model_server                 
  Client Addr   141.x.x.166                           
  Owner entry

The last record is the RADIUS client that all other records should be persisting to.

nitass
Employee
Apr 23, 2014
the last persistence record is source address type, isn't it? shouldn't it be universal persistence type?

nitass

Employee

Apr 23, 2014

this is my testing.

 accounting virtual server

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar1813
ltm virtual bar1813 {
    destination 172.28.24.10:1813
    ip-protocol udp
    mask 255.255.255.255
    persist {
        myuie {
            default yes
        }
    }
    pool foo
    profiles {
        udp { }
    }
    rules {
        qux1813
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-port disabled
    vs-index 19
}

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:0 {
            address 200.200.200.101
        }
        200.200.200.111:0 {
            address 200.200.200.111
        }
    }
}

 timeout is set to indefinite to make testing easier

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm persistence universal myuie
ltm persistence universal myuie {
    app-service none
    match-across-services enabled
    match-across-virtuals enabled
    timeout indefinite
}

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux1813
ltm rule qux1813 {
    when CLIENT_ACCEPTED {
  persist uie [RADIUS::avp 8 ip4]
}
}

 http virtual server

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar80
ltm virtual bar80 {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        myuie {
            default yes
        }
    }
    pool foo
    profiles {
        tcp { }
    }
    rules {
        qux80
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 20
}

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux80
ltm rule qux80 {
    when CLIENT_ACCEPTED {
  persist uie [IP::client_addr]
}
when SERVER_CONNECTED {
  log local0. "client [IP::client_addr] server [IP::server_addr]"
}
}

 testing

1. create persistence record by sending accounting message

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm persistence persist-records all-properties
Sys::Persistent Connections
universal - 172.28.24.10:1813 - 200.200.200.101:any
---------------------------------------------------
  TMM           1
  Mode          universal
  Value         172.28.24.15
  Age (sec.)    3
  Virtual Name  /Common/bar1813
  Virtual Addr  172.28.24.10:1813
  Node Addr     200.200.200.101:any
  Pool Name     /Common/foo
  Client Addr   172.28.24.1
  Owner entry

Total records returned: 1

2. to prove whether persistence record is used, disable pool member 200.200.200.101:any (persistence is allowed on disabled state according to sol13310)

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm pool foo members modify { 200.200.200.101:0 { session user-disabled }}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:0 {
            address 200.200.200.101
            session user-disabled
        }
        200.200.200.111:0 {
            address 200.200.200.111
        }
    }
}

3. send http request. pool member 200.200.200.101 is used

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Apr 23 03:19:14 ve11a info tmm1[13593]: Rule /Common/qux80 : client 172.28.24.15 server 200.200.200.101

tomHooper_13312
Nimbostratus
Apr 24, 2014
Thanks for that code nitass, I did note that you are using SNAT automap on both of VS. Is there a way to avoid using SNAT in this scenario?

nitass
Employee
Apr 24, 2014
I did note that you are using SNAT automap on both of VS. Is there a way to avoid using SNAT in this scenario?

if server sends response back to client through bigip (e.g. default gateway, static route), snat automap is not needed. i had to use snat automap because my lab environment does not.
- tomHooper_13312
  Nimbostratus
  Apr 24, 2014
  Based on you output I have the default gateway set as the F5 this means I do not require SNAT. Another thing I have notices is that you have used HTTP, where as I am required to use HTTPS. Is this going to make a difference?
nitass
Employee
Apr 24, 2014
I have the default gateway set as the F5 this means I do not require SNAT.

correct

I have notices is that you have used HTTP, where as I am required to use HTTPS. Is this going to make a difference?

no difference
- tomHooper_13312
  Nimbostratus
  Apr 28, 2014
  Nitass, Can I ask for a printout of the port 1812 config. I am struggling to workout how these two (1812 and 1813) are maintaining a persistent connection. You have been great help so far.
nitass
Employee
Apr 28, 2014
Can I ask for a printout of the port 1812 config.

sorry i do not have. it is my testing lab. traffic is not real traffic i.e. it is generated by tool such as radclient, curl, etc.

Forum Discussion

Need help connecting RADIUS and HTTPS

18 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

iRule based RADIUS Client Stack

iRule based RADIUS Health Monitor Builder

iRule based RADIUS Server Stack

Sideband connection HTTP example

RADIUS update NAS-IP-Address