CSS11501 one arm configuration for CSACS Radius Authentication traffic

Unanswered Question
Nov 6th, 2009
User Badges:

Is it possible to deploy the CSS11501 in one arm design to loadbalance the authentication traffic Radius across CSACS servers which is on UDP 1645 or 1812 port, is it required to configure the NAT or not, if yes how can define the shared secret in the CSS. also tell me how to configure the keepalive for udp traffic in this scenario other then default icmp keep alive

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 11/09/2009 - 03:03
User Badges:
  • Cisco Employee,

1/ there is no udp probe.

2/ If you want to loadbalance radius traffic, you don't need to define radius on the CSS...we will just treat the traffic as udp flows.

3/ if you are in one-armed mode, you need to find a way to guarantee that response traffic goes back to the CSS...client-nat is usually the easiest solution but than the destination sees connection from a single source....another option is policy-based routing.


AdnanShahid Tue, 06/28/2011 - 09:07
User Badges:

Hi Gilles,

I am having the same issue in one of my cases (with authentication done by servers for the clients). Can you send me any documents with CSS loadbalancer doing this policy based routing or can you  share any  idea how can I achieve this. The client-nat is not suited in our environment. It would be very helpful if you could share me some docs or ideas.




This Discussion