For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Martin_Sharratt's avatar
Martin_Sharratt
Icon for Nimbostratus rankNimbostratus
Feb 24, 2015

Radius load balancing not balancing

We've got a pair of LTMs (running 11.5.0) and I've been trying to set up load balancing for our radius servers which are authenticating our wireless traffic. We're using FreeRadius. We're using MSCH...
application delivery
deployment
devops
iApps
LTM
performance
Fred_Slater_856's avatar
Fred_Slater_856
Historic F5 Account
Feb 25, 2015

There are at least 2 solutions. One is to build and iRule and attach it to your iApp. See https://devcentral.f5.com/wiki/iRules.RADIUS__avp.ashx. The other is to apply the radius profile with persist-avp (tmsh create ltm profile radius radiusLB persist-avp). I believe the latter is more straightforward, but unfortunately it is not implemented in the f5.radius iApp in 11.5.

 

  • Martin_Sharratt's avatar
    Martin_Sharratt
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2015
    Thanks very much for this Fred. I'll hopefully be able to give this a try over the next few days. Will post back with results.
  • Fred_Slater_856's avatar
    Fred_Slater_856
    Historic F5 Account
    Feb 26, 2015
    Thanks Martin. I am especially interested in the result when you create the following attribute-value persistence profile and attach it to your radius virtual. ltm profile radius my_radiusLB { defaults-from radiusLB persist-avp 1 }
  • Fred_Slater_856's avatar
    Fred_Slater_856
    Historic F5 Account
    Mar 10, 2015
    Martin- I set up a pair of freeradius servers, and am successfully load balancing between them with datagram-load-balancing and no radiusLB profile using a simple radtest -t mschap test. Is there an easy way for me to reproduce the problem you are seeing?
  • Martin_Sharratt's avatar
    Martin_Sharratt
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2015
    Sorry it's taken so long but I've finally found some time to replicate the live config on a test F5 and radius servers and guess what, I've found the same. Using radtest I get successful load balancing using the out-of-the box Radius iApp. I then tried this using radtest on the production setup with the same result. I'm starting to think the problem is with the client rather than the F5.
  • Fred_Slater_856's avatar
    Fred_Slater_856
    Historic F5 Account
    Mar 18, 2015
    Interesting. A tcpdump comparison might help to see the difference between clients. Post what you find!
  • Martin_Sharratt's avatar
    Martin_Sharratt
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2015
    Funnily enough I've just done that - snippet below but some explanation: The clients are xxx.xxx.148.104 - radtest client xxx.xxx.4.22 - Wireless controller xxx.xxx.127.136 and xxx.xxx.127.137 radius servers The snippets show the radtest evenly balancing between 127.136 and 127.137 and the wireless controller sticking with 127.136. But they also show a different conversation. Radtest is request-accept whereas wireless controller is request-challenge. Radtest 16:28:09.379760 IP xxx.xxx.148.104.36980 > xxx.xxx.127.137.radius: RADIUS, Access Request (1), id: 0xc3 length: 129 16:28:09.423763 IP xxx.xxx.127.137.radius > xxx.xxx.148.104.36980: RADIUS, Access Accept (2), id: 0xc3 length: 108 16:28:09.476146 IP xxx.xxx.148.104.33658 > xxx.xxx.127.137.radius: RADIUS, Access Request (1), id: 0x25 length: 129 16:28:09.520002 IP xxx.xxx.127.137.radius > xxx.xxx.148.104.33658: RADIUS, Access Accept (2), id: 0x25 length: 108 16:28:09.571885 IP xxx.xxx.148.104.36908 > xxx.xxx.127.137.radius: RADIUS, Access Request (1), id: 0x9a length: 129 16:28:09.622050 IP xxx.xxx.127.137.radius > xxx.xxx.148.104.36908: RADIUS, Access Accept (2), id: 0x9a length: 108 16:28:09.672034 IP xxx.xxx.148.104.52581 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xa6 length: 129 16:28:09.735969 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.52581: RADIUS, Access Accept (2), id: 0xa6 length: 108 16:28:09.785786 IP xxx.xxx.148.104.46811 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x90 length: 129 16:28:09.848582 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.46811: RADIUS, Access Accept (2), id: 0x90 length: 108 16:28:09.898973 IP xxx.xxx.148.104.59440 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x01 length: 129 16:28:09.966831 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.59440: RADIUS, Access Accept (2), id: 0x01 length: 108 16:28:10.017341 IP xxx.xxx.148.104.50813 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x6b length: 129 16:28:10.096661 IP xxx.xxx.127.136.radius > xxx.xxx.148.104.50813: RADIUS, Access Accept (2), id: 0x6b length: 108 Wireless controller 16:28:09.300715 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x80 length: 233 16:28:09.304035 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0x80 length: 694 16:28:09.384252 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x65 length: 371 16:28:09.389125 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0x65 length: 123 16:28:09.399242 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xb7 length: 233 16:28:09.401953 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0xb7 length: 101 16:28:09.414063 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xbc length: 286 16:28:09.416874 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0xbc length: 133 16:28:09.425249 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0xac length: 334 16:28:09.468703 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0xac length: 149 16:28:09.474853 IP xxx.xxx.4.22.38620 > xxx.xxx.127.136.radius: RADIUS, Access Request (1), id: 0x66 length: 270 16:28:09.478196 IP xxx.xxx.127.136.radius > xxx.xxx.4.22.38620: RADIUS, Access Challenge (11), id: 0x66 length:
  • Martin_Sharratt's avatar
    Martin_Sharratt
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2015
    I've just looked again at radtest - using -t eap-md5 I get the challenge response but it still seems to be balancing evenly
  • Martin_Sharratt's avatar
    Martin_Sharratt
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2015
    But I can't copy the snippet in (website thinks it's spam): 17:07:29.534774 IP xxx.xxx148.104.36928 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0xfd length: 135 17:07:29.536893 IP xxx.xxx127.136.radius > xxx.xxx148.104.36928: RADIUS, Access Challenge (11), id: 0xfd length: 64 17:07:29.586124 IP xxx.xxx148.104.54443 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0x0a length: 135 17:07:29.588386 IP xxx.xxx127.136.radius > xxx.xxx148.104.54443: RADIUS, Access Challenge (11), id: 0x0a length: 64 17:07:29.635644 IP xxx.xxx148.104.42466 > xxx.xxx127.137.radius: RADIUS, Access Request (1), id: 0x17 length: 135 17:07:29.637776 IP xxx.xxx127.137.radius > xxx.xxx148.104.42466: RADIUS, Access Challenge (11), id: 0x17 length: 64 17:07:29.684637 IP xxx.xxx148.104.56138 > xxx.xxx127.137.radius: RADIUS, Access Request (1), id: 0x24 length: 135 17:07:29.687030 IP xxx.xxx127.137.radius > xxx.xxx148.104.56138: RADIUS, Access Challenge (11), id: 0x24 length: 64 17:07:29.734239 IP xxx.xxx148.104.56163 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0x31 length: 135 17:07:29.736436 IP xxx.xxx127.136.radius > xxx.xxx148.104.56163: RADIUS, Access Challenge (11), id: 0x31 length: 64 17:07:29.784118 IP xxx.xxx148.104.51052 > xxx.xxx127.136.radius: RADIUS, Access Request (1), id: 0x3e length: 135 17:07:29.787326 IP xxx.xxx127.136.radius > xxx.xxx148.104.51052: RADIUS, Access Challenge (11), id: 0x3e length: 64