For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

flomkrl_29950's avatar
flomkrl_29950
Icon for Nimbostratus rankNimbostratus
Nov 27, 2008

RADIUS Load Balancing

Hello,

 

 

I have to use 2 radius server in failover authentification.

 

 

1 - The Firsty idea is to create Virtual server for radius with a monitor which just check that radius answer although it is a radius-reject (for security purpose we do not want to use a user password to test, we will test with a wrong username)

 

 

Does anyone know all the command line of /usr/bin/monitors/builtins/RADIUSACCT_monitor /usr/bin/monitors/builtins/RADIUS_monitor

 

the idea is to create a monitor script which use RADIUS?_monitor and send Ok if there is answer and send NOK with no answer, that's all.

 

 

2 - The second idea is to modify the authentication irule for disabling the active node if there is an authentification error (not a reject).

 

If auth failed

 

=>check node up, if node up make it down

 

=>check node down, if node up make it up

 

 

I prefere the 1st idea,

 

 

Thanks for your help,

 

 

Flo,
config
design

4 Replies

  • flomkrl_29950's avatar
    flomkrl_29950
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2008
    Finaly i use 1st idea :

     

    !/bin/sh

     

     

     

    NODE_IP=${1}

     

    NODE_PORT=${2}

     

    USERNAME="TEST"

     

    DEBUG="Yes"

     

    RES=`/usr/bin/monitors/builtins/RADIUS_monitor $NODE_IP $NODE_PORT " " $USERNAME $SECRET 2>&1`

     

    echo $RES | grep 'Expected code' > /dev/null 2>&1

     

     

    if [ $? -eq 0 ]

     

    then

     

    echo "UP"

     

    fi

     

    exit
  • scott_sams_8256's avatar
    scott_sams_8256
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2009
    where does this go? i trying to use the radius_monitor external program. the radius sees the valid auth but denies cause it sees user as guest. where or how do i enter in user id and password for this?

     

     

    thanks
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 27, 2009
    The code flomkrl posted is used in an external monitor. USERNAME="TEST" is where he is setting the login name.

     

     

    These two pages have some background info on external monitors and using an external monitor to check a radius pool:

     

     

    External Monitors

     

    http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/ExternalMonitor.html

     

     

    SOL6993: Configuring a RADIUS Accounting external health monitor

     

    https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6993.html

     

     

    Aaron
  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Jan 21, 2014

    i have filled an RFE, maybe of interest for you 

    RFE 445480 - Radius Monitor should mark member up even with Access-Reject