Forum Discussion

Kannan_Thalaia1's avatar
Oct 04, 2023

Loadbalancing based on UDP SSL certificate issuer

In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate.

Some are WLCs (during authentications) are sending old certificates and some are new one.

We intention is based on certificate issuer ( on UDP traffic) , the F5 LTM need to redirect to different pool.

Kindly let me know, whether we can achive this with UDP profile and below irule? or any other way to fulfil our requirement.

Appreciate your help on this.

set server_cert [SSL::cert 1] ;# Retrieve the server certificate (index 1)
set cn [SSL::cert subject commonName]
if { [string match "*CS PRD*" $cn] } {
# Route to Pool A for servers with Type A certificates
} else {
# Default route for other cases


7 Replies

  • your requirements seems strange, and complex. I'd suggest contacting Professional Services for help with this, or take some time to describe your problem more clearly and somebody here may be able to help.

    • Kannan_Thalaia1's avatar
      Icon for Cirrus rankCirrus

      Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."

      • Kannan_Thalaia1's avatar
        Icon for Cirrus rankCirrus

        the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.

        In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).