Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Loadbalancing based on UDP SSL certificate issuer

In our environment we have multipl WLCs which are trying to connect RADIUS ( UDP 1812) for authentication along with certificate.

Some are WLCs (during authentications) are sending old certificates and some are new one.

We intention is based on certificate issuer ( on UDP traffic) , the F5 LTM need to redirect to different pool.

Kindly let me know, whether we can achive this with UDP profile and below irule? or any other way to fulfil our requirement.

Appreciate your help on this.

set server_cert [SSL::cert 1] ;# Retrieve the server certificate (index 1)
set cn [SSL::cert subject commonName]
if { [string match "*CS PRD*" $cn] } {
# Route to Pool A for servers with Type A certificates
} else {
# Default route for other cases



F5 Employee
F5 Employee

your requirements seems strange, and complex. I'd suggest contacting Professional Services for help with this, or take some time to describe your problem more clearly and somebody here may be able to help.

Yes, we contacted F5 PS and got response as "I have further reviewed the requirement and Wireshark traces with a senior colleague and we both concur that this is a non-starter due to the way the protocol behaves."

the Radius Access Request packet is routed to the Authentication Server prior to the Client certificate being presented. This breaks any certificate-based routing that we require.

In the below diagram, step 5 (Access Request) happens before 5b (Client Cert request).



you could use an iRule which responds to the Access Request asking for the client cert, and once the client cert is presented it sends the request to the authentication server. Where is the BIG-IP sat in this flow?

BIG-IP sit between Autheticator and Authentication server..

OK, so in theory i can see that the BIG-IP can sit between Authenticateor and Authentication Server and respond to the RADIUS request with EAP with a challenge, and force the supplicant to send the certificate. I'm not sure how this would work from BIG-IP to AS though - can it bundle up a single RADIUS Access Request with the certificate inside the EAP AVP? If not, the BIG-IP would have to respond to the challenge. Both of these are possible - the first would be a simple iRule, the second would need to use the MRF (Message Routing Framework) which is a bit more complex but is also more scalable.

If it were me, i would spend more time working out exactly what you want to do and how that would work - draw diagrams, refer to RFCs, write pseudocode, have wireshark traces etc. You may need to perform a proof of concept.

Yes.. Due to complexity, the application team looking for other options and dropped F5 option..