Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Loadbalancing based on UDP SSL certificate issuer

Kannan_Thalaia1
Cirrus
Cirrus

‎04-Oct-2023 02:47

In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate.

Some are WLCs (during authentications) are sending old certificates and some are new one.

We intention is based on certificate issuer ( on UDP traffic) , the F5 LTM need to redirect to different pool.

Kindly let me know, whether we can achive this with UDP profile and below irule? or any other way to fulfil our requirement.

Appreciate your help on this.

when CLIENTSSL_HANDSHAKE {
set server_cert [SSL::cert 1] ;# Retrieve the server certificate (index 1)
set cn [SSL::cert subject commonName]
if { [string match "*CS PRD*" $cn] } {
# Route to Pool A for servers with Type A certificates
pool RADIUSOLD_POOL
} else {
# Default route for other cases
pool RADIUSNEW_POOL
}
}

 

Labels:
0 Kudos
7 REPLIES 7

PeteWhite
F5 Employee
F5 Employee

‎13-Oct-2023 01:15

your requirements seems strange, and complex. I'd suggest contacting Professional Services for help with this, or take some time to describe your problem more clearly and somebody here may be able to help.

0 Kudos

Kannan_Thalaia1
Cirrus
Cirrus
In response to PeteWhite

‎13-Oct-2023 01:25

Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."

0 Kudos

Kannan_Thalaia1
Cirrus
Cirrus
In response to Kannan_Thalaia1

‎13-Oct-2023 01:26

the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.

In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).

Kannan_Thalaia1_0-1697185562840.png

 

0 Kudos

PeteWhite
F5 Employee
F5 Employee
In response to Kannan_Thalaia1

‎13-Oct-2023 01:30

you could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?

0 Kudos

Kannan_Thalaia1
Cirrus
Cirrus
In response to PeteWhite

‎13-Oct-2023 01:41

BIG-IP sit between Autheticator and Authentication server..

0 Kudos

PeteWhite
F5 Employee
F5 Employee
In response to Kannan_Thalaia1

‎13-Oct-2023 02:10

OK, so in theory i can see that the BIG-IP can sit between Authenticateor and Authentication Server and respond to the RADIUS request with EAP with a challenge, and force the supplicant to send the certificate. I'm not sure how this would work from BIG-IP to AS though - can it bundle up a single RADIUS Access Request with the certificate inside the EAP AVP? If not, the BIG-IP would have to respond to the challenge. Both of these are possible - the first would be a simple iRule, the second would need to use the MRF (Message Routing Framework) which is a bit more complex but is also more scalable.

If it were me, i would spend more time working out exactly what you want to do and how that would work - draw diagrams, refer to RFCs, write pseudocode, have wireshark traces etc. You may need to perform a proof of concept.

0 Kudos

Kannan_Thalaia1
Cirrus
Cirrus
In response to PeteWhite

‎13-Oct-2023 03:01

Yes.. Due to complexity, the application team looking for other options and dropped F5 option..

0 Kudos
Copyright © 2023 Khoros, LLC