Product Documentation

Configuring RADIUS Load Balancing with Persistence

Aug 31, 2016

Today’s complex networking environment often requires coordinating a high-volume, high-capacity load balancing configuration with robust authentication and authorization. Application users may connect to a VPN through mobile access points such as consumer-grade DSL or Cable connections, WiFi, or even dial-up nodes. Those connections usually use dynamic IPs, which can change during the connection.

If you configure RADIUS load balancing on the NetScaler appliance to support persistent client connections to RADIUS authentication servers, the appliance uses the user logon or the specified RADIUS attribute instead of the client IP as the session ID, directing all connections and records associated with that user session to the same RADIUS server. Users are therefore able to log on to your VPN from mobile access locations without experiencing disconnections when the client IP or WiFi access point changes.

To configure RADIUS load balancing with persistence, you must first configure RADIUS authentication for your VPN. For information and instructions, see the Authentication, Authorization, Auditing (AAA) chapter in AAA Application Traffic. You must also choose either the Load Balancing or Content Switching feature as the basis for your configuration, and make sure that the feature you chose is enabled. The configuration process with either feature is almost the same.

Then, you configure either two load balancing, or two content switching, virtual servers, one to handle RADIUS authentication traffic and the other to handle RADIUS accounting traffic. Next, you configure two services, one for each load balancing virtual server, and bind each load balancing virtual server to its service. Finally, you create a load balancing persistency group and set the persistency type to RULE.

Enabling the Load Balancing or Content Switching Feature

To use the Load Balancing or Content Switching feature, you must first ensure that the feature is enabled. If you are configuring a new NetScaler appliance that has not previously been configured, both of these features are already enabled, so you can skip to the next section. If you are configuring a NetScaler appliance with a previous configuration on it, and you are not certain that the feature you will use is enabled, you must do that now.

Configuring Virtual Servers

After enabling the load balancing or content switching feature, you must next configure two virtual servers to support RADIUS authentication:

  • RADIUS authentication virtual server. This virtual server and its associated service will handle authentication traffic to your RADIUS server. Authentication traffic consists of connections associated with users logging onto your protected application or virtual private network (VPN).
  • RADIUS accounting virtual server. This virtual server and its associated service will handle accounting connections to your RADIUS server. Accounting traffic consists of connections that track an authenticated user’s activities on your protected application or VPN.
Important: You must create either a pair of load balancing virtual servers or a pair of content switching virtual servers to use in your RADIUS persistence configuration. You cannot mix virtual server types.

To configure a load balancing virtual server by using the command line interface

At the command prompt type the following commands to create a new load balancing virtual server and verify the configuration:

  • add lb vserver <name> RADIUS <IP address> <port> -lbmethod TOKEN -rule <rule>
  • show lb vserver <name>

To configure an existing load balancing virtual server, replace the above add lb virtual server command with the set lb vserver command, which takes the same arguments.

To configure a content switching virtual server by using the command line interface

At the command prompt type the following commands to create a new content switching virtual server and verify the configuration:

  • add cs vserver <name> RADIUS <IP address> <port> -lbmethod TOKEN -rule <rule>
  • show cs vserver <name>

To configure an existing content switching virtual server, replace the above add cs vserver command with the set cs vserver command, which takes the same arguments.

Example

 
add lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME 
add lb vserver radius_acct_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME 
set lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME 
set lb vserver radius_auth_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME 

To configure a load balancing or content switching virtual server by using the configuration utility

Navigate to Traffic Management > Load Balancing > Virtual Servers or navigate to Traffic Management > Content Switching > Virtual Servers>>, and configure a virtual server.

Configuring Services

After configuring your virtual servers, you must next configure two services, one for each of the virtual servers that you created. For instructions, see Configuring Services.

Note: Once configured, these services are in the DISABLED state until the NetScaler appliance can connect to your RADIUS server’s authentication and accounting IPs and monitor their status.

Binding Virtual Servers to Services

After configuring your services, you must next bind each of the virtual servers that you created to the appropriate service. For instructions, see Binding Services to the Virtual Server.

Configuring a Persistency Group for Radius

After binding your load balancing virtual servers to the corresponding services, you must set up your RADIUS load balancing configuration to support persistence. To do so, you configure a load balancing persistency group that contains your RADIUS load balancing virtual servers and services, and configure that load balancing persistency group to use rule-based persistence. For instructions, see Configuring Persistence Groups.