For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ken_wolff_10732's avatar
ken_wolff_10732
Icon for Nimbostratus rankNimbostratus
Sep 20, 2006

Snatted address replacement

Is there a way to retain the actual client address and replace the snatted address with the actual client address when responding back to the client? I need the snat, but want to tell the client the a...
application delivery
dev
devops
iRules
ken_wolff_10732's avatar
ken_wolff_10732
Icon for Nimbostratus rankNimbostratus
Sep 22, 2006
The client is doing an 802.1x (PEAP) authentication via radius servers to the domain controller. So the sequence is laptop request>Cisco Switch>BigIP>Radius>active directory. The problem comes in when the radius is not local (is not on the internal VLAN). The request has to be snatted to go to a remote radius. The radius log entry then shows a snatted address for the Cisco Switch i.e. a generic address instead of a specific address. This is a security issue.

 

I would like to find a way to capture the Switch address, and send that to the radius instead of the snat address. If that could work, then we could use remote radius servers. Hope that is clearer. Thanks, Ken