Forum Discussion
Kannan_Thalaia1
Cirrus
CirrusLoadbalancing based on UDP SSL certificate issuer
In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate. Some are WLCs (during authentications) are sending old certificates ...
Kannan_Thalaia1Cirrus
Cirrusthe Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.
In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).
PeteWhite
Employee
Employeeyou could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?
- Kannan_Thalaia1
BIG-IP sit between Autheticator and Authentication server..
- PeteWhite
OK, so in theory i can see that the BIG-IP can sit between Authenticateor and Authentication Server and respond to the RADIUS request with EAP with a challenge, and force the supplicant to send the certificate. I'm not sure how this would work from BIG-IP to AS though - can it bundle up a single RADIUS Access Request with the certificate inside the EAP AVP? If not, the BIG-IP would have to respond to the challenge. Both of these are possible - the first would be a simple iRule, the second would need to use the MRF (Message Routing Framework) which is a bit more complex but is also more scalable.
If it were me, i would spend more time working out exactly what you want to do and how that would work - draw diagrams, refer to RFCs, write pseudocode, have wireshark traces etc. You may need to perform a proof of concept.
- Kannan_Thalaia1
Yes.. Due to complexity, the application team looking for other options and dropped F5 option..