ACE - Port re-direction for RADIUS authentication and accounting SLB?

Unanswered Question
Nov 21st, 2008

Hi, I currently have an ACE module running in one arm mode which I am trying to setup to service

RADIUS requests. As such I have configured the RADIUS probe on the ACE and the VIP address is being advertised

out to the network and I am seeing hits against the VIP with the authentciation requests being passed

onto the real RADIUS hosts. So far so good nothing unusual about that setup.

The issue I have is that the RADIUS hosts provide both the authentiaction and accounting services on the same

platform both ofwhich are on none standard ports. To clarify:

RADIUS Authentications are on port 3001

RADIUS Accounting is on port 3002

The issue I have is that RADIUS authentication and accounting requests hit the VIP address on the standard

RADIUS ports of:

RADIUS Authentications are on port 1812

RADIUS Accounting is on port 1813

Given the fact I am using a single VIP to handle both authentications and accounting how can i ensure that

the ACE passes on authentication requests to the real servers on port 3001 and accounting requests on port

3002?

Under the server farm configuration you only appear to be able to tell the ACE to talk to the real server on

a single port.

My question then is; is using static port re-direction (DNAT?) on the ACE an option to achieve this bearing?

in mind i am running the ACE in one arm mode? I have tried to configure this with no joy so far?

I know the easy answers are to have a seperate VIP for accounting or to use standard ports on the real servers

but the reason for not doing this is out of my control!

Below is the current basic setup I have running (I have changed the real IPs, etc), please assume client are

using addresses in the 2.2.2.2 range for any feddback.

Any advice on this would be appreciated.

Thanks

ACE Confg....

access-list IN line 8 extended permit udp any host 1.1.1.1 eq radius

access-list IN line 16 extended permit udp any host 1.1.1.1 eq radius-acct

probe radius RADIUS-AUTH-PROBE

description RADIUS Probe

port 3001

interval 10

passdetect interval 30

credentials test abc123 secret mysecret

rserver host RADIUS-SVR-1

description Real RADIUS server

ip address 192.168.1.10

inservice

serverfarm host RADIUS-SVR-FARM

description RADIUS Serverfarm

failaction purge

predictor leastconns slowstart 60

probe RADIUS-AUTH-PROBE

rserver RADIUS-SVR-1 3001

inservice

class-map match-all RADIUS-CMAP

description Match RADIUS Traffic

2 match virtual-address 1.1.1.1 any

policy-map type loadbalance first-match RADIUS-PMAP

description Loadbalance RADIUS requests to Serverfarm RADIUS-SVR-FARM

class class-default

serverfarm RADIUS-SVR-FARM

policy-map multi-match RADIUS-SERVPOL

description Direct RADIUS requests to SLB policy RADIUS-PMAP

class RADIUS-CMAP

loadbalance vip inservice

loadbalance policy RADIUS-PMAP

loadbalance vip icmp-reply

loadbalance vip advertise active

loadbalance vip advertise metric 2

interface vlan 10

description LAN to MSFC

ip address 192.168.2.1 255.255.255.0

mtu 1500

access-group input IN

service-policy input RADIUS-SERVPOL

no shutdown

ip route inject vlan 10

ip route 0.0.0.0 0.0.0.0 192.168.2.254

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 11/21/2008 - 12:04

Use seperate serverfarms & Policies for two type of traffic. For e.g

serverfarm host RADIUS-SVR-FARM-AUTH

description RADIUS AUTH Serverfarm

failaction purge

probe RADIUS-AUTH-PROBE

rserver RADIUS-SVR-1 3001

inservice

serverfarm host RADIUS-SVR-FARM-ACCT

description RADIUS AUTH Serverfarm

failaction purge

probe RADIUS-ACCT-PROBE

rserver RADIUS-SVR-1 3002

inservice

class-map match-all RADIUS-CMAP-AUTH

description Match RADIUS-AUTH Traffic

2 match virtual-address 1.1.1.1 tcp 1812

class-map match-all RADIUS-CMAP-ACCT

description Match RADIUS-ACCT Traffic

2 match virtual-address 1.1.1.1 tcp 1813

policy-map type loadbalance first-match RADIUS-PMAP-AUTH

description Loadbalance RADIUS-AUTH requests to Serverfarm RADIUS-SVR-FARM-AUTH

class class-default

serverfarm RADIUS-SVR-FARM-AUTH

policy-map type loadbalance first-match RADIUS-PMAP-ACCT

description Loadbalance RADIUS-ACCT requests to Serverfarm RADIUS-SVR-FARM-ACCT

class class-default

serverfarm RADIUS-SVR-FARM-ACCT

policy-map multi-match RADIUS-SERVPOL

description Direct RADIUS requests to SLB policy RADIUS-PMAP

class RADIUS-CMAP-AUTH

loadbalance vip inservice

loadbalance policy RADIUS-PMAP-AUTH

loadbalance vip icmp-reply

class RADIUS-CMAP-ACCT

loadbalance vip inservice

loadbalance policy RADIUS-PMAP-ACCT

loadbalance vip icmp-reply

Syed Iftekhar Ahmed

Actions

This Discussion