Forum Discussion
Loadbalancing based on UDP SSL certificate issuer
Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."
the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.
In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).
- PeteWhiteOct 13, 2023Employee
you could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?
- Kannan_Thalaia1Oct 13, 2023Cirrus
BIG-IP sit between Autheticator and Authentication server..
- PeteWhiteOct 13, 2023Employee
OK, so in theory i can see that the BIG-IP can sit between Authenticateor and Authentication Server and respond to the RADIUS request with EAP with a challenge, and force the supplicant to send the certificate. I'm not sure how this would work from BIG-IP to AS though - can it bundle up a single RADIUS Access Request with the certificate inside the EAP AVP? If not, the BIG-IP would have to respond to the challenge. Both of these are possible - the first would be a simple iRule, the second would need to use the MRF (Message Routing Framework) which is a bit more complex but is also more scalable.
If it were me, i would spend more time working out exactly what you want to do and how that would work - draw diagrams, refer to RFCs, write pseudocode, have wireshark traces etc. You may need to perform a proof of concept.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com