Hi, I currently have an ACE module running in one arm mode which I am trying to setup to service
RADIUS requests. As such I have configured the RADIUS probe on the ACE and the VIP address is being advertised
out to the network and I am seeing hits against the VIP with the authentciation requests being passed
onto the real RADIUS hosts. So far so good nothing unusual about that setup.
The issue I have is that the RADIUS hosts provide both the authentiaction and accounting services on the same
platform both ofwhich are on none standard ports. To clarify:
RADIUS Authentications are on port 3001
RADIUS Accounting is on port 3002
The issue I have is that RADIUS authentication and accounting requests hit the VIP address on the standard
RADIUS ports of:
RADIUS Authentications are on port 1812
RADIUS Accounting is on port 1813
Given the fact I am using a single VIP to handle both authentications and accounting how can i ensure that
the ACE passes on authentication requests to the real servers on port 3001 and accounting requests on port
Under the server farm configuration you only appear to be able to tell the ACE to talk to the real server on
a single port.
My question then is; is using static port re-direction (DNAT?) on the ACE an option to achieve this bearing?
in mind i am running the ACE in one arm mode? I have tried to configure this with no joy so far?
I know the easy answers are to have a seperate VIP for accounting or to use standard ports on the real servers
but the reason for not doing this is out of my control!
Below is the current basic setup I have running (I have changed the real IPs, etc), please assume client are
using addresses in the 220.127.116.11 range for any feddback.
Any advice on this would be appreciated.
access-list IN line 8 extended permit udp any host 18.104.22.168 eq radius
access-list IN line 16 extended permit udp any host 22.214.171.124 eq radius-acct
probe radius RADIUS-AUTH-PROBE
description RADIUS Probe
passdetect interval 30
credentials test abc123 secret mysecret
rserver host RADIUS-SVR-1
description Real RADIUS server
ip address 192.168.1.10
serverfarm host RADIUS-SVR-FARM
description RADIUS Serverfarm
predictor leastconns slowstart 60
rserver RADIUS-SVR-1 3001
class-map match-all RADIUS-CMAP
description Match RADIUS Traffic
2 match virtual-address 126.96.36.199 any
policy-map type loadbalance first-match RADIUS-PMAP
description Loadbalance RADIUS requests to Serverfarm RADIUS-SVR-FARM
policy-map multi-match RADIUS-SERVPOL
description Direct RADIUS requests to SLB policy RADIUS-PMAP
loadbalance vip inservice
loadbalance policy RADIUS-PMAP
loadbalance vip icmp-reply
loadbalance vip advertise active
loadbalance vip advertise metric 2
interface vlan 10
description LAN to MSFC
ip address 192.168.2.1 255.255.255.0
access-group input IN
service-policy input RADIUS-SERVPOL
ip route inject vlan 10
ip route 0.0.0.0 0.0.0.0 192.168.2.254