Forum Discussion
NimbostratusNeed help connecting RADIUS and HTTPS
I am trying to load-balance HTTPS (Port 8443) into the same node as a completed RADIUS communication. It is critical for session consistency that the HTTPS session is load-balanced onto the same node as the RADIUS session. It is key to note that the RADIUS client address is different to the HTTPS client address. In order to to load-balance the HTTPS session, I first need to determine the Client-IP from the preceding accounting packets.
I have attempted to achieve this using the following iRule:
Code
when CLIENT_DATA {
This ensures that only the interim_update accounting
packets are inspected by the iRule as these are
most likely to contain the IP address of the client
[RADIUS::code] == 4 identifies the packet as an accounting packet
[RADIUS::avp 40] == 3 identifies the packet as an interim_update accounting packet
if { [RADIUS::code ] == 4 and [RADIUS::avp 40] == 3 }{
set framed_ip [RADIUS::avp 8]
log local0. "request from $framed_ip"
persist uie "$framed_ip" 600
}
}
text Tying all this together on other Virtual Servers is a UIE persistence profile. The Persistence Profile has Match Across Services and Match Across Servers enabled. However, despite the persistence profile being attached to every VS, the HTTPS refuses to follow the persistence record that has been created by -- persist uie "$framedIP" 600.
18 Replies
Cory_50405Noctilucent
If you instead use a universal persistence profile and enable 'Match Across Services', does that make a difference?
tomHooper_13312Thankyou for your suggestion, I forgot to mention that I already have "Match Across Services" and "Match Across Servers" enabled. I've updated my post to reflect this.
- nitass
Employee
can you post the https virtual server's irule?
- tomHooper_13312There is no iRule attached to the HTTPS virtual server. Just a Universal Persistence Profile with Match Across Services and Match Across Servers.
- nitass
There is no iRule attached to the HTTPS virtual server.
can you try? the irule should just be running persist against client ip.
- tomHooper_13312Are you able to provide any suggestions? I not too sure how to start.
- nitass
e.g.
when CLIENT_ACCEPTED { persist uie [IP::client_addr] }- tomHooper_13312Alright ill try that. Does this get attached to a persistence profile? Or is it just attached as an iRule to the VS
- nitass
is it just attached as an iRule to the VS
VS please :)
- tomHooper_13312
So I have tried the suggested configuration and am still having trouble.
Running show ltm persistence persist-records all-properties I receive the following output: (Note I have truncated the output to preserve space)
-----output truncated------- universal - 10.x.x.170:1813 - 10.x.x.172:any ---------------------------------------------------- TMM 2 Mode universal Value 141.x.x.115 Age (sec.) 18 Virtual Name /Common/ISE_Radius_account Virtual Addr 10.x.x.170:1813 Node Addr 10.x.x.172:any Pool Name /Common/ISE_model_server Client Addr :: Owner entry universal - 10.x.x.170:1813 - 10.x.x.172:any ---------------------------------------------------- TMM 1 Mode universal Value 141.x.x.115 Age (sec.) 18 Virtual Name /Common/ISE_Radius_account Virtual Addr 10.x.x.170:1813 Node Addr 10.x.x.172:any Pool Name /Common/ISE_model_server Client Addr :: Local entry =================================================== -----output truncated------- source-address - 10.x.x.170:1812 - 10.x.x.171:any --------------------------------------------------------- TMM 1 Mode source-address Value 141.x.x.166 Age (sec.) 145 Virtual Name /Common/ISE_Radius_auth Virtual Addr 10.x.x.170:1812 Node Addr 10.x.x.171:any Pool Name /Common/ISE_model_server Client Addr 141.x.x.166 Owner entryThe last record is the RADIUS client that all other records should be persisting to.
- nitassthe last persistence record is source address type, isn't it? shouldn't it be universal persistence type?
- nitass
this is my testing.
accounting virtual server root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar1813 ltm virtual bar1813 { destination 172.28.24.10:1813 ip-protocol udp mask 255.255.255.255 persist { myuie { default yes } } pool foo profiles { udp { } } rules { qux1813 } source 0.0.0.0/0 source-address-translation { type automap } translate-port disabled vs-index 19 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:0 { address 200.200.200.101 } 200.200.200.111:0 { address 200.200.200.111 } } } timeout is set to indefinite to make testing easier root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm persistence universal myuie ltm persistence universal myuie { app-service none match-across-services enabled match-across-virtuals enabled timeout indefinite } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux1813 ltm rule qux1813 { when CLIENT_ACCEPTED { persist uie [RADIUS::avp 8 ip4] } } http virtual server root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar80 ltm virtual bar80 { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 persist { myuie { default yes } } pool foo profiles { tcp { } } rules { qux80 } source 0.0.0.0/0 source-address-translation { type automap } vs-index 20 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux80 ltm rule qux80 { when CLIENT_ACCEPTED { persist uie [IP::client_addr] } when SERVER_CONNECTED { log local0. "client [IP::client_addr] server [IP::server_addr]" } } testing 1. create persistence record by sending accounting message root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show ltm persistence persist-records all-properties Sys::Persistent Connections universal - 172.28.24.10:1813 - 200.200.200.101:any --------------------------------------------------- TMM 1 Mode universal Value 172.28.24.15 Age (sec.) 3 Virtual Name /Common/bar1813 Virtual Addr 172.28.24.10:1813 Node Addr 200.200.200.101:any Pool Name /Common/foo Client Addr 172.28.24.1 Owner entry Total records returned: 1 2. to prove whether persistence record is used, disable pool member 200.200.200.101:any (persistence is allowed on disabled state according to sol13310) root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify ltm pool foo members modify { 200.200.200.101:0 { session user-disabled }} root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:0 { address 200.200.200.101 session user-disabled } 200.200.200.111:0 { address 200.200.200.111 } } } 3. send http request. pool member 200.200.200.101 is used [root@ve11a:Active:In Sync] config tail -f /var/log/ltm Apr 23 03:19:14 ve11a info tmm1[13593]: Rule /Common/qux80 : client 172.28.24.15 server 200.200.200.101- tomHooper_13312Thanks for that code nitass, I did note that you are using SNAT automap on both of VS. Is there a way to avoid using SNAT in this scenario?
- nitass
I did note that you are using SNAT automap on both of VS. Is there a way to avoid using SNAT in this scenario?
if server sends response back to client through bigip (e.g. default gateway, static route), snat automap is not needed. i had to use snat automap because my lab environment does not.
- tomHooper_13312Based on you output I have the default gateway set as the F5 this means I do not require SNAT. Another thing I have notices is that you have used HTTP, where as I am required to use HTTPS. Is this going to make a difference?
- nitass
I have the default gateway set as the F5 this means I do not require SNAT.
correct
I have notices is that you have used HTTP, where as I am required to use HTTPS. Is this going to make a difference?
no difference
- tomHooper_13312Nitass, Can I ask for a printout of the port 1812 config. I am struggling to workout how these two (1812 and 1813) are maintaining a persistent connection. You have been great help so far.
- nitass
Can I ask for a printout of the port 1812 config.
sorry i do not have. it is my testing lab. traffic is not real traffic i.e. it is generated by tool such as radclient, curl, etc.
