Forum Discussion

Kannan_Thalaia1's avatar
Kannan_Thalaia1
Icon for Cirrus rankCirrus
Oct 04, 2023

Loadbalancing based on UDP SSL certificate issuer

In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate. Some are WLCs (during authentications) are sending old certificates ...
application delivery
PeteWhite's avatar
PeteWhite
Icon for Employee rankEmployee

your requirements seems strange, and complex. I'd suggest contacting Professional Services for help with this, or take some time to describe your problem more clearly and somebody here may be able to help.

Kannan_Thalaia1's avatar
Kannan_Thalaia1
Icon for Cirrus rankCirrus
Oct 13, 2023

Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."

  • Kannan_Thalaia1's avatar
    Kannan_Thalaia1
    Icon for Cirrus rankCirrus
    Oct 13, 2023

    the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.

    In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).

     

    • PeteWhite's avatar
      PeteWhite
      Icon for Employee rankEmployee
      Oct 13, 2023

      you could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?

      • Kannan_Thalaia1's avatar
        Kannan_Thalaia1
        Icon for Cirrus rankCirrus
        Oct 13, 2023

        BIG-IP sit between Autheticator and Authentication server..