Forum Discussion

Kannan_Thalaia1's avatar
Kannan_Thalaia1
Icon for Cirrus rankCirrus
Oct 13, 2023

Re: Loadbalancing based on UDP SSL certificate issuer

Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."

  • Kannan_Thalaia1's avatar
    Kannan_Thalaia1
    Icon for Cirrus rankCirrus
    Oct 13, 2023

    the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.

    In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).

     

    • PeteWhite's avatar
      PeteWhite
      Icon for Employee rankEmployee
      Oct 13, 2023

      you could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?