Expand all | Collapse all

Radius server authentication through CA API Gateway

Jump to Best Answer
  • 1.  Radius server authentication through CA API Gateway

    Posted 08-10-2018 11:13 AM


    I have a situation here,

    One of my policies uses  "Authenticate Against Radius Server" assertion and it is configured with one of the IP's of  Radius server and it works as expected. The issue is, when this Radius server is deployed in a cluster form with Load balancer (BigIP) in place, how do we achieve it ? 


    1. Is there a way to configure LB IP with the existing Radius server assertion (Not sure if this works)?

    2. Is there any inbuilt load balancing option in the actual Radius server ?

    3. Is it a good option to  Route to LB with user creds and let LB pass on the params to Radius server ?


    I would like to have a standard & secure way to achieve this.




  • 2.  Re: Radius server authentication through CA API Gateway

    Posted 08-10-2018 08:54 PM

    Hi Prashanth,


    I'm not sure if I understand the issue. It sounds like it works as expected but you're curious how it would work when a load balancer is in the picture, right? I would first think that your RADIUS server admin and/or network team member would know what backend value you should use, which you could then add to the assertion. DNS and your networks routing tables should generally take care of the rest from there, I believe.


    But if that's not the case, please clarify where the load balancer is in the workflow you're trying to get working, and we'll try to help as best we can. Also, has this been tried already and you're running into issues, or is this more of a pre-emptive kind of question? Of course if it's more a pre-emptive question rather than tried already, we can try to work with what we've got but if we can still confirm what the workflow is looking like, I think it would help paint the best picture of the environment for us to further troubleshoot or guide you.


    To answer one of your questions though:


    1. The RADIUS server would be third-party to the Gateway, so I'm not sure any of us (except other community members who also run a RADIUS server) would be able to speak to that too well in terms of if there are any built-in load balancing options.


    Knowing just what's been asked and the data added, I think I'd still recommend starting by engaging your RADIUS server admin or network team members to provide you with the "VIP Name" or something to that effect where your requests would be routed through the load balancer to the RADIUS server. I'm guessing if you used it already, it was hitting the RADIUS server directly – and now I think you just need to find out what the name of the host is that the load balancers use to front the RADIUS server.


    Hopefully I've understood correctly. If not, definitely feel free to clarify/correct me. 

  • 3.  Re: Radius server authentication through CA API Gateway

    Posted 08-13-2018 11:02 AM

    Hi Dustin,


    Thanks for the brief explanation. I have tried to explain what i am trying to do in the PIC below. All i need to know is what parameter values goes in when F5 LB is in between API Gateway & Radius server ( For Host, Secret, Auth Port, Authenticator Protocol in "Authenticate Against Radius Server" assertion.)






  • 4.  Re: Radius server authentication through CA API Gateway
    Best Answer

    Posted 08-13-2018 08:34 PM

    Hi Prashanth,


    Thank you for the screenshot and image, that makes things much easier to understand. With that said though, I still believe that ultimately the answers will need to come from your own internal team members. I say this because your F5 load balancer would typically just be forwarding on the request. So each load balancer kind of has a frontend and a backend. Think of the frontend as the end receiving the traffic from the Gateway, and the backend as the one outputting that data to the RADIUS server, with the load balancer quite likely doing some port translations in between.


    In such a case, you'd have to set the assertion in the Gateway as follows:


    • Host will be whatever your VIP is on the frontend of your F5 load balancer which fronts the RADIUS servers
    • I believe that Secret remains the same as you have it set now
    • Auth Port will then be whatever port your F5 load balancer is accepting traffic on on behalf of the backend. Typically this is also the same port as the backend uses, so you may not need to change anything. But if it is in fact different (and only your F5 admins can tell you that), then you'd need to make sure the Auth Port value matches that of whatever the port is on your F5 load balancer for traffic to your RADIUS server
    • Eveyrthing else is the same as you had it earlier.


    So to recap:


    • When changing from direct RADIUS connection to one that goes through the F5 load balancer, you can pretty much keep everything as-is, just likely needing to change the Host and Auth Port respectively, but only your own F5/network team will have the answers as to which values you'd include for your environment.


    I hope the above helps.

  • 5.  Re: Radius server authentication through CA API Gateway

    Posted 08-14-2018 10:55 AM

    Thank you. That explains all.

  • 6.  Re: Radius server authentication through CA API Gateway

    Posted 08-12-2018 09:18 PM

    General speaking, any clustering should be transparent, and the client should only need the LB IP.