Radius configuration

Question

Hi &nbsp;
I need to load balance 5 radius servers through the F5. I setup the VIP but for some reason it's not working. this is my virtual server...&nbsp;
tm virtual vs_cisco_ise {&nbsp;
    destination 10.211.184.108:any&nbsp;
    ip-protocol udp&nbsp;
    mask 255.255.255.255&nbsp;
    partition BRC&nbsp;
    persist {&nbsp;
        Raduis_Persistence {&nbsp;
            default yes&nbsp;
        }&nbsp;
    }&nbsp;
 &nbsp;
    pool pool_cisco_ise&nbsp;
    profiles {&nbsp;
        /Common/udp { }&nbsp;
    }&nbsp;
    snat automap&nbsp;
    vlans-disabled&nbsp;
}&nbsp;
 &nbsp;

ltm pool pool_cisco_ise {&nbsp;
    members {&nbsp;
        10.20.77.149:any {&nbsp;
            address 10.20.77.149&nbsp;
            session monitor-enabled&nbsp;
            state up&nbsp;
        }&nbsp;
        10.20.77.150:any {&nbsp;
            address 10.20.77.150&nbsp;
            session user-disabled&nbsp;
 &nbsp;

ltm persistence hash Raduis_Persistence {&nbsp;
    app-service none&nbsp;
    defaults-from /Common/hash&nbsp;
    hash-algorithm default&nbsp;
    hash-buffer-limit 0&nbsp;
    hash-end-pattern none&nbsp;
    hash-length 0&nbsp;
    hash-offset 0&nbsp;
    hash-start-pattern none&nbsp;
    match-across-pools disabled&nbsp;
    match-across-services disabled&nbsp;
    match-across-virtuals disabled&nbsp;
    mirror disabled&nbsp;
    override-connection-limit disabled&nbsp;
    rule none&nbsp;
    timeout 180&nbsp;
}&nbsp;
 &nbsp;
&nbsp;
            state up&nbsp;
        }&nbsp;
        10.20.77.151:any {&nbsp;
            address 10.20.77.151&nbsp;
            session user-disabled&nbsp;
            state up&nbsp;
        }&nbsp;
        10.20.77.152:any {&nbsp;
            address 10.20.77.152&nbsp;
            session user-disabled&nbsp;
            state up&nbsp;
        }&nbsp;
        10.20.77.153:any {&nbsp;
            address 10.20.77.153&nbsp;
            session user-disabled&nbsp;
            state up&nbsp;
        }&nbsp;
    }&nbsp;
    monitor /Common/gateway_icmp&nbsp;
    partition BRC&nbsp;
}&nbsp;
 &nbsp;
 &nbsp;
&nbsp;
 &nbsp;
 &nbsp;

what_lies_bene1 · Answer

Angelo can you be more specific about what doesn't work, what version you're using and any diagnostics and tests you've performed so far please?&nbsp;

angelo · Answer

Hi &nbsp;
The problem is that i can see the traffic coming into the F5 but i cannot see the traffic coming back to my radius server. not sure if my config is correct..&nbsp;

what_lies_bene1 · Answer

Sorry, did you mean coming back from? Have you done a tcpdump? Is there a route on the RADIUS servers back to the SNAT address?

angelo · Answer

it's traffic back from the F5 to the radius server.. there is also a site running on the server but i can get to the site but the radius side of the config keeps failing...

what_lies_bene1 · Answer

OK. By site i assume you mean website? That would use a different Virtual Server and perhaps SNAT? Regardless, I assume you are saying that proves the routing to the server from the F5 is good yes?&nbsp;
&nbsp;
If so, it's time to do some tcpdumps I'd say. Can you do a tcpdump on the 'external' VLAN that the traffic enters the device through and then another on the 'internal' VLAN that the traffic should leave the device through. Actually, do it on both like so: tcpdump –i all –nn –v –X –s0 port 1812 and see what's what. If you'd rather save it to a file and use Wireshark for analysis, use this to create a file you can pull off the device: tcpdump –i all -nn –w /tmp/radiuscapture –v –s0 port 1812.&nbsp;

Forum Discussion

Radius configuration

8 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

iRule based RADIUS Client Stack

iRule based RADIUS Health Monitor Builder

iRule based RADIUS Server Stack

RADIUS update NAS-IP-Address

Certificate Expiry Email alert configuration