Forum Discussion

Cirrus

Oct 04, 2023

Loadbalancing based on UDP SSL certificate issuer

In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate. Some are WLCs (during authentications) are sending old certificates ...

application delivery

PeteWhite

Employee

Oct 13, 2023

your requirements seems strange, and complex. I'd suggest contacting Professional Services for help with this, or take some time to describe your problem more clearly and somebody here may be able to help.

Kannan_Thalaia1
Cirrus
Oct 13, 2023
Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."
- Kannan_Thalaia1
  Cirrus
  Oct 13, 2023
  the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.
  In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).
  - PeteWhite
    Employee
    Oct 13, 2023
    you could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?