Jump to content
Welcome to our new Citrix community!

RADIUS "routing" to different access server

Recommended Posts

Hi guys,


i'm new to NetScaler (currently i'm using F5 balancer) and i need to do a test before considering a switch. I'm using an iRule on my F5 to redirect RADIUS access\accounting request to different server than default based on Username and Framed-IP-Address. I'm trying to understand how to replicate on the NetScaler. 


Essentialy i've create a:


- Content Switch Virtual Server (where i will route all radius traffic)

- Under AppExpert i've create a "String Maps" that is composed in this way:

   username(numerical) -- radius access server (that will give a specific IP Pool)

- Create an action under CS called "CATCH USERNAME" that get only the first part of username (because i've this syntax: BLABLABLA@OTHER, i need just the first part), this action has this expression

   CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).MAP_STRING("IMEI_TEST_LIST"), as i've understood this exp should get the first part of username, check the string into the SM IMEI_TEST_LIST and give me the appropriate entry (in my case Radius AAA that should receive this packet)


Now i don't understand how to create a policy that essential:


- Get all access traffic and forward to a default pool, put a policy on it when catch an username inside the string map sent the packet to another RADIUS than default


The same approach shold be done also on the accounting packet, but this time based on the assigned IP address.


Can you help me or give me some hints?





Link to comment
Share on other sites



So you need to have a cs vserver and an  default lb vs server binded to it.

Then have a  cs policy that checks for that username is in that string map and content switch you to a different lb vserver


Something like this:


add cs vserver cs-test TCP 1812 -stateupdate ENABLED -cltTimeout 180 -caseSensitive OFF 

bind cs vserver cs-test -policyName cs_CATCH_USERNAME -targetLBVserver lb-another-radius -priority 5
bind cs vserver cs-test -lbvserver lb-default


each lb vserver should have the services/server that you want.


you can also  take a look at this (but it is using responder policy):




Link to comment
Share on other sites

but i missing one thing:


i need to setup the  lb-another-radius  based on the string map. Is it possible? Because with F5 i will select the node dynamically using the iRule and DataGroup


this is an example of "IMEI_TEST_LIST" string map:


username1 :=

username2 :=


I want that the CS, when catch username1 into Radius Access will redirect this packet to server and so on (based on the string map)



Link to comment
Share on other sites



First i never used string maps.  In your case if you want to match only the first part  i don't think you need string maps.

You could have a cs policy for every match you want and direct the request to a different lb vserver.

I 've used pattern sets. But if you only match 1 username per policy you don't need it.



you would have a policy like this:


add cs policy cs_test_pol -rule "CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).EQ(\"username1\")"

bind cs vserver cs-test -policyName cs_CATCH_USERNAME -targetLBVserver lb-another-radius -priority 5


you could have many polcies and lb's like this. Each one for a different string/username



if there is no match it will go to the default lb:


bind cs vserver cs-test -lbvserver lb-default







Link to comment
Share on other sites

you could have a pattern set with those 100 entries then , if they should be directed to the same server.



add policy patset radius_dataset

bind policy patset radius_dataset  "username1" -index 10

bind policy patset radius_dataset  "username2" -index 20



I never used string maps. But as far as i am see it is based on key and value.

you could try something like this:


add lb vserver lb_vs_one tcp
add lb vserver lb_vs_two tcp
add lb vserver lb_vs_three tcp

add policy stringmap IMEI_TEST_LIST
bind policy stringmap IMEI_TEST_LIST "username1" lb_vs_one
bind policy stringmap IMEI_TEST_LIST "username2" lb_vs_two
bind policy stringmap IMEI_TEST_LIST "username3" lb_vs_three



bind cs vserver cs-test -policyName cs_CATCH_USERNAME  -priority 5



Link to comment
Share on other sites

I started this example last week and never posted as i got busy.  See if this helps.


You can't load balance via string map. But you can put lb vserver names in the string map and let content switching, switch based on an expression based action which identifies the lb vserver name to switch to.


If you use your map with the keys being the username and the values being the name of the lb vserver for radius to use as a destination, then

you could use the cs expression based actions.  (You can also tweak the map to contain the radius server and we can parse it into the lb vserver name.)


In this case the "lb vservers" point to a single radius server.

# for the moment, lumping authe/accounting together

add service svc_radius1_authe x.x.x.1 radius *

add service svc_radius2_authe x.x.x.2 radius *


add lb vserver lb_vsrv_radius1 radius 0

bind lb vserver lb_vsrv_radius1 svc_radius1_authe


add lb vserver lb_vsrv_radius2 radius 0

bind lb vserver lb_vsrv_radius2 svc_radius2_authe


add cs vserver cs_vsrv_radius radius <VIP1> *


add policy stringmap map_radiususers

bind policy stringmap map_radiususers "user1" "lb_vsrv_radius1"

bind policy stringmap map_radiususers "user2" "lb_vsrv_radius2"


# the cs action type using the expression identifies the vserver name to direct traffic to.

add cs action cs_act_sendto_radius_bymap  -targetVserverExpr "CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).MAP_STRING(\"map_radiususers\")"

# therfore if you give it a username, it should output the corresponding vserver.


The create cs policy and bind to the cs vserver.



Other ways, if you don't want to use the action to include the vserver name, have different maps for users for different radius server banks.

policy1 would then point to map1 with the user group for the first radius server

policy2 woudl the point to map2 with the user goups for the second radius server

And you could have different cs policies trigger based on whether your user account was in the map as a key or not.

(This way you could still send groups to a specific radius server.)









Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...