Configure RADIUS load balancing with persistence

Today’s complex networking environment often requires coordinating a high-volume, high-capacity load balancing configuration with robust authentication and authorization. Application users may connect to a VPN through mobile access points such as consumer-grade DSL or Cable connections, WiFi, or even dial-up nodes. Those connections usually use dynamic IPs, which can change during the connection.

If you configure RADIUS load balancing on the NetScaler appliance to support persistent client connections to RADIUS authentication servers, the appliance uses the user logon or the specified RADIUS attribute instead of the client IP as the session ID, directing all connections and records associated with that user session to the same RADIUS server. Users are therefore able to log on to your VPN from mobile access locations without experiencing disconnections when the client IP or WiFi access point changes.

To configure RADIUS load balancing with persistence, you must first configure RADIUS authentication for your VPN. For information and instructions, see the Authentication, Authorization, Auditing (AAA) chapter in AAA Application Traffic. You must also choose either the Load Balancing or Content Switching feature as the basis for your configuration, and make sure that the feature you chose is enabled. The configuration process with either feature is almost the same.

Then, you configure either two load balancing, or two content switching, virtual servers, one to handle RADIUS authentication traffic and the other to handle RADIUS accounting traffic. Next, you configure two services, one for each load balancing virtual server, and bind each load balancing virtual server to its service. Finally, you create a load balancing persistency group and set the persistency type to RULE.

To configure RADIUS load balancing with persistence, see the following sections:

Enabling the Load Balancing or Content Switching Feature

To use the Load Balancing or Content Switching feature, you must first ensure that the feature is enabled. If you are configuring a new NetScaler appliance that has not previously been configured, both of these features are already enabled, so you can skip to the next section. If you are configuring a NetScaler appliance with a previous configuration on it, and you are not certain that the feature you will use is enabled, you must do that now.

Configuring Virtual Servers

After enabling the load balancing or content switching feature, you must next configure two virtual servers to support RADIUS authentication:

  • RADIUS authentication virtual server. This virtual server and its associated service will handle authentication traffic to your RADIUS server. Authentication traffic consists of connections associated with users logging onto your protected application or virtual private network (VPN).
  • RADIUS accounting virtual server. This virtual server and its associated service will handle accounting connections to your RADIUS server. Accounting traffic consists of connections that track an authenticated user’s activities on your protected application or VPN.

Important: You must create either a pair of load balancing virtual servers or a pair of content switching virtual servers to use in your RADIUS persistence configuration. You cannot mix virtual server types.

To configure a load balancing virtual server by using the command line interface

At the command prompt type the following commands to create a new load balancing virtual server and verify the configuration:

add lb vserver <name> RADIUS <IP address> <port> -lbmethod TOKEN -rule <rule>

show lb vserver <name>

To configure an existing load balancing virtual server, replace the above add lb virtual server command with the set lb vserver command, which takes the same arguments.

To configure a content switching virtual server by using the command line interface

At the command prompt type the following commands to create a new content switching virtual server and verify the configuration:

add cs vserver <name> RADIUS <IP address> <port> -lbmethod TOKEN -rule <rule>

show cs vserver <name>

To configure an existing content switching virtual server, replace the above add cs vserver command with the set cs vserver command, which takes the same arguments.

Example:

add lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

add lb vserver radius_acct_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

set lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

set lb vserver radius_auth_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

To configure a load balancing or content switching virtual server by using the configuration utility

Navigate to Traffic Management > Load Balancing > Virtual Servers or navigate to Traffic Management > Content Switching > Virtual Servers», and configure a virtual server.

Configuring Services

After configuring your virtual servers, you must next configure two services, one for each of the virtual servers that you created.

Note: Once configured, these services are in the DISABLED state until the NetScaler appliance can connect to your RADIUS server’s authentication and accounting IPs and monitor their status. For instructions, see Configuring Services.

Binding Virtual Servers to Services

After configuring your services, you must next bind each of the virtual servers that you created to the appropriate service.For instructions, see Binding Services to the Virtual Server.

Configuring a Persistency Group for Radius

After binding your load balancing virtual servers to the corresponding services, you must set up your RADIUS load balancing configuration to support persistence. To do so, you configure a load balancing persistency group that contains your RADIUS load balancing virtual servers and services, and configure that load balancing persistency group to use rule-based persistence. A persistency group is required because the authentication and accounting virtual servers are different and both the authentication & accounting message for a single user should reach the same RADIUS server. By configuring a persistency group, the same session is used for both virtual servers. For instructions, see Configuring Persistence Groups.

Configuring RADIUS Shared Secret

From release 12.0, a NetScaler appliance supports RADIUS shared secret. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and on the server. Transactions between a RADIUS client and server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.

RADIUS shared secret key validation scenarios

The validation of the RADIUS shared secret key happens in the following scenarios:

  • RADIUS shared secret key is configured for both the radius client and the radius server: The NetScaler appliance uses the RADIUS secret key for both the client side and the server side. If the verification succeeds, the appliance allows the RADIUS message to go through. Otherwise, it drops the RADIUS message.
  • RADIUS shared secret key is not configured for either the radius client or the radius server: The NetScaler appliance drops the RADIUS message, because shared-secret-key validation cannot be performed on a node that has no radkey configured.
  • RADIUS shared secret key is not configured for both the RADIUS client and the RADIUS server: The NetScaler appliance bypasses the RADIUS secret key validation and allows the RADIUS messages to go through.

You can configure a default RADIUS shared secret or configure on a per client or a subnet basis. It is recommended to add a RADIUS shared secret key for all deployments with RADIUS policy configured. The appliance uses the source IP address of the RADIUS packet to decide which shared secret to use. You may configure a RADIUS client and server and the corresponding shared secret as follows:

At the CLI prompt, type:

add radiusNode <clientPrefix/Subnet> -radKey <Shared_secret_key>

Arguments

IPaddress

        IP address or subnet of the RADIUS client in CIDR format. The appliance uses the source IP address of an incoming request packet to match the client IP address. Instead of configuring a client IP address, you can configure the client network address. Longest prefix is matched to identify the shared secret for an incoming client request.

Radkey

Shared secret between the client, NetScaler appliance, and the server. Maximum length: 31.

add lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

add lb vserver radius_acct_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

add service radius_auth_service1 192.168.41.68 RADIUS 1812

add service radius_acct_service1 192.168.41.70 RADIUS 1813

bind lb vserver radius_auth_vs1 radius_auth_service1

bind lb vserver radius_acct_vs1 radius_acct_service[1-3]

add radiusNode 192.168.41.0/24 -radKey  serverkey123

add radiusNode 203.0.113.0/24 -radkey clientkey123

A shared secret must be configured both for a RADIUS client and server. The command is the same. The subnet determines whether the shared secret is for a client or for a server.

For example, if the subnet specified is a client subnet, the shared secret is for the client. If the subnet specified is a server subnet (192.168.41.0/24 in the above example), the shared secret is for the server.

A subnet of 0.0.0.0/0 implies that it is the default shared secret for all clients and servers.

Note

Only the PAP and CHAP authentication methods are supported with RADIUS shared secret.