irule: HTTP traffic to the same real server as Radius session

Question

Hello Team,&nbsp;
LTM should loadbalance both Radius (Authentication/Accounting) and also HTTP traffic to the same real server.
Radius traffic should be balanced based on Calling Station id attribute.
HTTP traffic should redirected to the same real server as previous radius session.&nbsp;
So the logic would be the following:
- LTM is tracking all Radius Interim Accounting messages with IETF Attribute Framed-IP-Address and performing balancing based on Calling Station id attribute.
- Once HTTP get is being received we are reading IP-&gt;source_ip and checking/doing lookup if we do see that address in one of previous Radius sessions (Framed-IP-Address) - if yes sending the traffic to the same real server.&nbsp;
Is that possible ?&nbsp;
Thanks,
Michal&nbsp;

ed_summers · Answer

BIG-IP has a persistence option called 'match across services' that does this if both virtual services utilize the same VIP (and pools have the same nodes). One option subject to your specific architecture. We utilize this in some cases with source-ip persistence.&nbsp;
'match across virtual servers' enables this persistence function if the VSes do not share the same IP.&nbsp;
More info is available in SOL5837 if helpful.&nbsp;

teknet7_237497 · Answer

Hi Ed,&nbsp;
Thank you for the link.&nbsp;
I have read multiple documents but still not sure if that is possible. I would use multiple VIPs with the same address and match across services. Services: radius authentication, radius accounting, http.&nbsp;
I would need to:&nbsp;

After receiving Radius Access-Request (no Framed-IP-Address yet at that stage) i would need to balance based on Calling-Station-ID (persistent profile universal with irule extracting Calling-Station-ID).

Then i am receiving Radius Accounting-Request with Framed-IP-Address i would still do the same balancing based on Calling-Station-ID - and land on the same real server. But this time since i do have Framed-IP-Address attribute i would like to extract it and create a persistence entry (irule for Framed-IP-Address)

Then i am receiving HTTP traffic from IP address which is the same as mentioned Framed-IP-Address. What would be the configuration for that VIP ? What kind of persistence rule and irule ?&nbsp;

Could you clarify what config would you recommend for all 3 VIPs - what persistence profile and irule ?
What would be the content of persistence table ? Both via Calling-Station-ID and IP address ? I need to be sure that once i do receive subsequent accounting messages they are gonna land on the same real server as original access-request. But also all subsequent HTTP request from the same ip as framed-ip-address should land on the same real server.&nbsp;
Thanks,
Michal&nbsp;

red_19 · Answer

Michal did you find a solution for this problem ? 
I have the same situation with 2 VIPS(same IP different ports) one has MSRDP and the other has Source IP, the requirement is the same as yours. Traffic first comes on the VIP with SourceIP persistence and which ever node the traffic goes to that should be the same node it should go when the client connects to the VIP that has MSRDP persistence. Both the VIPs have the same pool members(same IP different ports) &nbsp;

Forum Discussion

irule: HTTP traffic to the same real server as Radius session

3 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

LTM Traffic Policies vs iRules: Which runs first?

iRule for custom traffic flow

Is "ACCESS::session remove" an asynchronous iRule command?

Logging TLS traffic less than TLSv1.2

Traffic Shaping and Atlassian Jira