I have a situation here,
One of my policies uses "Authenticate Against Radius Server" assertion and it is configured with one of the IP's of Radius server and it works as expected. The issue is, when this Radius server is deployed in a cluster form with Load balancer (BigIP) in place, how do we achieve it ?
1. Is there a way to configure LB IP with the existing Radius server assertion (Not sure if this works)?
2. Is there any inbuilt load balancing option in the actual Radius server ?
3. Is it a good option to Route to LB with user creds and let LB pass on the params to Radius server ?
I would like to have a standard & secure way to achieve this.
I'm not sure if I understand the issue. It sounds like it works as expected but you're curious how it would work when a load balancer is in the picture, right? I would first think that your RADIUS server admin and/or network team member would know what backend value you should use, which you could then add to the assertion. DNS and your networks routing tables should generally take care of the rest from there, I believe.
But if that's not the case, please clarify where the load balancer is in the workflow you're trying to get working, and we'll try to help as best we can. Also, has this been tried already and you're running into issues, or is this more of a pre-emptive kind of question? Of course if it's more a pre-emptive question rather than tried already, we can try to work with what we've got but if we can still confirm what the workflow is looking like, I think it would help paint the best picture of the environment for us to further troubleshoot or guide you.
To answer one of your questions though:
Knowing just what's been asked and the data added, I think I'd still recommend starting by engaging your RADIUS server admin or network team members to provide you with the "VIP Name" or something to that effect where your requests would be routed through the load balancer to the RADIUS server. I'm guessing if you used it already, it was hitting the RADIUS server directly – and now I think you just need to find out what the name of the host is that the load balancers use to front the RADIUS server.
Hopefully I've understood correctly. If not, definitely feel free to clarify/correct me.
Thanks for the brief explanation. I have tried to explain what i am trying to do in the PIC below. All i need to know is what parameter values goes in when F5 LB is in between API Gateway & Radius server ( For Host, Secret, Auth Port, Authenticator Protocol in "Authenticate Against Radius Server" assertion.)
Thank you for the screenshot and image, that makes things much easier to understand. With that said though, I still believe that ultimately the answers will need to come from your own internal team members. I say this because your F5 load balancer would typically just be forwarding on the request. So each load balancer kind of has a frontend and a backend. Think of the frontend as the end receiving the traffic from the Gateway, and the backend as the one outputting that data to the RADIUS server, with the load balancer quite likely doing some port translations in between.
In such a case, you'd have to set the assertion in the Gateway as follows:
So to recap:
I hope the above helps.
Thank you. That explains all.
General speaking, any clustering should be transparent, and the client should only need the LB IP.