We are currently using iPlanet boxes in our DMZ to reverse-proxy back to our Weblogic app servers via Weblogic's iPlanet plug-in. The iPlanets also house the Siteminder plug-in, authenticating users in the DMZ before they reach the Weblogic machines.
We'd like to replace the web servers with BigIPs. In order to do this, we'll need to authenticate users somehow on each BigIP, either against our LDAP servers, or preferably, against our existing Siteminder Policy Server.
Since the Siteminder Policy Server can speak RADIUS, could we use BigIP's RADIUS capability for authentication against the Policy server? If so, can BigIP's RADIUS authentication be controlled through with iRules? For example, if a user fails RADIUS authentication against the Policy server, would it be possible to write an iRule to redirect the user to a login page? What would the iRule(s) look like?
Is BigIP+RADIUS the best replacement for our current iPlanet+Siteminder plugin configuration, or would you recommend another BigIP combination?
BIG-IP does handle remote RADIUS authentication but I believe that you are not able to do what you want with iRules.
We can help you with programming issues here at DevCentral, but for questions like this one that concern BIG-IP and it's configuration in the network, we recommend you contact our Technical Support group where you will receive more detailed answers and recommendations on product solutions.
