Who can help ?

Well everything seems plausable if not complex....I am puzzled about item 4. Why do you need F5 Device to create some "Mapping table"

 

CB

Let me clarify the requirement again, it can help you understand why need such “mapping table”.

 

1.The user that from remote can get multiple IP addresses for different applications.

 

2.When user needs access internet, it dial-up first.

 

3.When NAS detect remote user has vaild IP addresses received, NAS send RADIUS accounting start message to the server pool which behind F5 box, F5 will distribute this message to the one accounting server base on dispatch method.

 

4.Remote user can access internet through NAS, but all traffic which comes from that user should via accounting server for tracing session information.

 

5.Which accounting server will be used is accoding to that table, because that table record this user name, user’s IP addresses and which accounting server is keeping the RADIUS start message, F5 should search that table and base on that table entries redirect subsequent traffic to corresponding accounting sevrer.

 

6.The key points here are two, one is if the traffic’s destination address is NOT VIP address on F5 box, does F5 also can implement load balancing for that kind of traffic? Another is F5 can search the mapping table for that knid of traffic? You can see the RADIUS message is sent by NAS, NOT remote user, but it need all traffic which comes from that user go to the same accounting server which RADIUS message is leave in. How does this work???

 

 

Thanks very much!

 

Sounds like you want the F5 to send and stick traffic to the accounting server that initially keeps the last known record of the user so that if he comes back he always sticks to the correct account server. Is that correct?

 

 

If so then it's possible to do that with setting up a persistance, probably destination affinity persistence.

 

 

 

CB

 

Thanks very much for your quickly reply, CB. The questions is if the traffic from clients are not sneding to the VIP on the F5, meaning that the F5 receive the traffic that the destination addresses are unknow for itself , whether the F5 still can do the stick according to the entries which created by RADIUS nessage (The RADIUS message is sent by NAS and the address is the VIP on F5).

 

BTW, all traffic I'm talking about is for sending packets, I don;t care the back traffic now.

Sorry I stll don't exactly know what you mean.

 

 

So from what I understand this is your traffic parttern.

 

 

Client --> NAS --> VIP --> Account Server (Behind F5) --> VIP --> NAS --> Client -> NAS --> Internet

 

 

Is that the traffic pattern?

 

 

CB

 

There are two separate traffic flow, One is as below:

 

1.Client dial-up, NAS receive this request, give client IP address (example, IP_C) if pass the verification.

 

2.NAS sneds RADIUS start message to the VIP which on F5 device, like this NAS-----VIP----one of accounting server (example, load balance to Acc_1)

 

3.F5 should keep a table which include user name, user’s IP address and which accounting is using.

 

Above is the first step, below is another flow:

 

1.Client access a server (Example, IP_S) which in internet, so the packets which from client source IP is IP_C, destination IP is IP_S, Client----Server directly.

 

2.BUT these packets will pass through F5 device, because F5 is in online mode in the network.

 

3.When F5 box receive these packets, F5 should redirect the packets to the Acc_1 server according to the table which was created in first step, as I said in my previous mail, the packets source IP is IP_C, destination IP is IP_S, the IP_S is the real server in the internet, NOT VIP address on the F5, BUT F5 should also stick such traffic to the same server which the RADIUS start message in for that client, that’s my key point.

 

How F5 can work like this? Any ideas for my case? Thanks very much for your great help, CB!!!

Why would the client want to communicate to the Acc_1 server once it's already been given authorization, to access a separate server on the internet. Is it someone constantly want to go to the seperate server and also communicate to the Acc_1 server at the sametime?

 

 

 

Hang in there I will get it eventually :-).

 

 

CB

Becasue accounting server need to know every sessions information from the clients, different cleints' all traffic should stick to corresponding accounting server according to the RADIUS message dispatch which accounting server. There are several accounting server in the server pool. This is customer requirement. Thanks very mcuh again.

Yes but isn't the NAS doing that already? I get that the accounting server should track when the client logs in and/or out, but that's because it's supplied that information by the NAS - as you also mentioned it's through this device the clients get to the internet . That would suggest that NAS is actually tracking each request to the internet and making the RADIUS Start Message calls. According to this logic you would then need the NAS to always send the RADIUS start message to the specific Account server that already contains the client's information. This can be done by an iRULE based on the information of the RADIUS Start Message within the packet.

 

 

CB

Actually the accounting servers which in customer network are more complex than normal RADIUS accounting server, except record RADIUS start/stop message, it also can do traffic data inspection, from this view, the server looks like IDS, but a little difference, this accounting servers are user-defined system, inculde a lots layer 7 function, that’s why need all traffic MUST go through these servers. I know the first step which I mentioned is very easyly to implement by iRule, but how can I do about my second flow I mentioned before?? Thanks very much!