Forum Discussion
Peter_Z
Cirrus
CirrusRadius Loadbalancing with iRule
Hello,
We need to write an iRule to loadbalance the RADIUS traffic. The users are authenticating with RADIUS servers which are load balanced on the F5 LTM. The ISP is doing a NAT so that ev...
Nat_Thirasuttakorn
Employee
Employeei think when you move rule to CLIENT_ACCEPTED, it just hasn't pick server yet so log show nothing. you may try splitting those part... (move that log to client_data or lb_selected event instead. here is an example.
when CLIENT_ACCEPTED {
if { [UDP::payload length] > 4 } {
binary scan [UDP::payload] c@20a* hdr_code rest_string
while { [string length $rest_string] > 4} {
binary scan $rest_string cca* attr_id attr_length rest_string
scan $attr_length %i length
set ff [format "a%da*" [expr {$length} - 2]]
switch $attr_id {
1 {
if the type of attrbuite is RADIUS_ATTR_USER_
binary scan $rest_string $ff attr_value rest_string
persist uie $attr_value
break
}
default {
binary scan $rest_string $ff attr_value rest_string
}
}
}
}
}
}
when CLIENT_DATA {
set SERVER [LB::server addr]
log "Username: $attr_value Sent to member $SERVER"
}
one thing to note, if you choose timeout immediate, if src port of radius request has been changed, when server reply with radius response, LTM may not have information to transform src port back to original. (if your radius client does not care about the destination port of returning packet, you may ignore this)
I would suggest UDP datagram LB with at least a few seconds timeout (or timeout which is long enough for your server to process the packet).
Nat
