Forum Discussion

Kannan_Thalaia1's avatar
Kannan_Thalaia1
Icon for Cirrus rankCirrus
Oct 04, 2023

Loadbalancing based on UDP SSL certificate issuer

In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate.

Some are WLCs (during authentications) are sending old certificates and some are new one.

We intention is based on certificate issuer ( on UDP traffic) , the F5 LTM need to redirect to different pool.

Kindly let me know, whether we can achive this with UDP profile and below irule? or any other way to fulfil our requirement.

Appreciate your help on this.

when CLIENTSSL_HANDSHAKE {
set server_cert [SSL::cert 1] ;# Retrieve the server certificate (index 1)
set cn [SSL::cert subject commonName]
if { [string match "*CS PRD*" $cn] } {
# Route to Pool A for servers with Type A certificates
pool RADIUSOLD_POOL
} else {
# Default route for other cases
pool RADIUSNEW_POOL
}
}

 

application delivery
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Oct 13, 2023

    your requirements seems strange, and complex. I'd suggest contacting Professional Services for help with this, or take some time to describe your problem more clearly and somebody here may be able to help.

    • Kannan_Thalaia1's avatar
      Kannan_Thalaia1
      Icon for Cirrus rankCirrus
      Oct 13, 2023

      Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."

      • Kannan_Thalaia1's avatar
        Kannan_Thalaia1
        Icon for Cirrus rankCirrus
        Oct 13, 2023

        the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.

        In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).