Forum Discussion

DineshVM_265886's avatar
DineshVM_265886
Icon for Altostratus rankAltostratus
Feb 09, 2017

RFE 445480 - Radius Monitor should mark member up even with Access-Reject

RFE 445480 - Radius Monitor should mark member up even with Access-Reject - Was this request approved. Looking for a solution for this request.

 

3 Replies

  • LPL's avatar
    LPL
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    I am also interested. In a (very good) document (Cisco wrote in collaboration with F5), it is stated: "F5 BIG-IP LTMs have the ability to treat a failed authentication (RADIUS Access-Reject) as a valid response to the RADIUS health monitor. The fact that ISE is able to provide a response indicates that the service is running."

     

    Later in the document:

     

    "General guidance is to use the ISE Internal User database account with different password to force Access-Reject."

     

    Is this default behavior of F5 to mark as up a server with Access-reject response or should we tweak it?

     

    The document name is "How-To-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf"

     

    Thanks!

     

  • As my late father used to say: "Bugger off is also an answer". Here's a null radius request:

    Access-Request (1), id: 0x00, Authenticator: 00000000000000000000000000000000
      User-Name Attribute (1), length: 9, Value: 0000000
        0x0000:  3030 3030 3030 30
      User-Password Attribute (2), length: 18, Value: 
        0x0000:  3030 3030 3030 3030 3030 3030 3030 3030
      NAS-IP-Address Attribute (4), length: 6, Value: 127.0.0.1
        0x0000:  7f00 0001
      NAS-Identifier Attribute (32), length: 11, Value: localhost
        0x0000:  6c6f 6361 6c68 6f73 74 out slot1/tmm0 lis=
    `
    
    
    And its (valid) 'bugger off' answer:
    
    
    `Access-Reject (3), id: 0x00, Authenticator: xxxxxxxxxxxxxxxxxxxxxxxx in slot1/tmm0 lis= 
    

    Here's the UDP hex strings to send & expect: Send:

    \x01\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x09\x30\x30\x30\x30\x30\x30\x30\x02\x12\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x30\x04\x06\x7f\x00\x00\x01\x20\x0b\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74

    Expect:

    \xcc\xb4\x64\x08\x5e\x35\x2c\xaf\x85\x0f\x26\x42\x21\x51\x6a\xaf

    Works a treat.

    BR Jan

  • Hi Jan,

     

    I have a iRule based Radius Client in my pocket. Should be a rather easy task to wrap the RADIUS request generation part into an iRule based Web-Page or even iApp-Template to auto-generate a RADIUS monitor template.

     

    Thanks for giving me good inspiration for a coding project... :-)

     

    Cheers, Kai