[RADIATOR] F5 and Radius - Load Balancing Not Working

Ernst Oudhof e.oudhof at mailfrom.nl
Fri Jul 24 14:53:46 CDT 2015 

Roberto,

 

I wrote the following iRule some time ago to loadbalance based on
calling-station-id. It loadbalances based on a hash of the
calling-station-id so it doesn't require a state table on the F5. It works
fine with wired and wireless auth since the calling-station-id is the
mac-address of the client in these cases.

 

when CLIENT_ACCEPTED {

    set calling_station_id [RADIUS::avp 31 "string"]

    #log local0. "Radius type: [RADIUS::code] Calling-station-id:
$calling_station_id"

    if { $calling_station_id != "" } {

        set pool [LB::server pool]

        binary scan [md5 $calling_station_id] w1 hash

        set picked [lindex [active_members -list $pool] [expr $hash %
[active_members $pool]]]

        pool $pool member [lindex $picked 0]

        #log local0. "pool $pool member [lindex $picked 0] selected"

    }

    else {

        log local0. "no calling-station-id in radius packet"

    }

}

 

 

Regards,

 

Ernst

From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On
Behalf Of Ullfig, Roberto Alfredo
Sent: vrijdag 24 juli 2015 14:54
To: radiator at open.com.au
Subject: Re: [RADIATOR] F5 and Radius - Load Balancing Not Working

 

It appears to be acting like this because we are using mschapv2. Has anyone
gotten an F5 to properly load balance packets when using mschapv2? It would
appear that we need to create special irules to split the packets.

 

From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On
Behalf Of Ullfig, Roberto Alfredo
Sent: Thursday, July 23, 2015 1:41 PM
To: radiator at open.com.au
Subject: [RADIATOR] F5 and Radius - Load Balancing Not Working

 

We've configured our F5 per their documentation. We are testing with one
WISM and seeing all the connections go to one Radius server in the pool (10
servers). Rarely, a different server is chosen. The F5 shows "connections"
being evenly distributed but I don't know what "connections" means because
the number of Radius authentications is much greater (170 connections vs
thousands of radius connections from over 1200 different users). It seems
like the F5 is creating a tunnel and the WISM is just sending everything
through it. We've contacted F5 support but were wondering if this could be
an issue with the WISM. Has anyone seen this before? Thanks!

 

---

Roberto Ullfig - rullfig at uic.edu

ACCC Research Programmer

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20150724/50321741/attachment.html

More information about the radiator mailing list