Jump to content
Welcome to our new Citrix community!

RADIUS "routing" to different access server


Recommended Posts

Hi guys,

 

i'm new to NetScaler (currently i'm using F5 balancer) and i need to do a test before considering a switch. I'm using an iRule on my F5 to redirect RADIUS access\accounting request to different server than default based on Username and Framed-IP-Address. I'm trying to understand how to replicate on the NetScaler. 

 

Essentialy i've create a:

 

- Content Switch Virtual Server (where i will route all radius traffic)

- Under AppExpert i've create a "String Maps" that is composed in this way:

   username(numerical) -- radius access server (that will give a specific IP Pool)

- Create an action under CS called "CATCH USERNAME" that get only the first part of username (because i've this syntax: BLABLABLA@OTHER, i need just the first part), this action has this expression

   CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).MAP_STRING("IMEI_TEST_LIST"), as i've understood this exp should get the first part of username, check the string into the SM IMEI_TEST_LIST and give me the appropriate entry (in my case Radius AAA that should receive this packet)

 

Now i don't understand how to create a policy that essential:

 

- Get all access traffic and forward to a default pool, put a policy on it when catch an username inside the string map sent the packet to another RADIUS than default

 

The same approach shold be done also on the accounting packet, but this time based on the assigned IP address.

 

Can you help me or give me some hints?

 

Thanks!

 

 

Link to comment
Share on other sites

Hi!

 

So you need to have a cs vserver and an  default lb vs server binded to it.

Then have a  cs policy that checks for that username is in that string map and content switch you to a different lb vserver

 

Something like this:

 

add cs vserver cs-test TCP 2.2.2.2 1812 -stateupdate ENABLED -cltTimeout 180 -caseSensitive OFF 

add cs policy cs_CATCH_USERNAME -rule "CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).MAP_STRING("IMEI_TEST_LIST")"
bind cs vserver cs-test -policyName cs_CATCH_USERNAME -targetLBVserver lb-another-radius -priority 5
bind cs vserver cs-test -lbvserver lb-default

 

each lb vserver should have the services/server that you want.

 

you can also  take a look at this (but it is using responder policy):

https://docs.citrix.com/en-us/netscaler/12/appexpert/string-maps.html

 

 

Link to comment
Share on other sites

but i missing one thing:

 

i need to setup the  lb-another-radius  based on the string map. Is it possible? Because with F5 i will select the node dynamically using the iRule and DataGroup

 

this is an example of "IMEI_TEST_LIST" string map:

 

username1 := 10.0.1.1

username2 := 10.0.1.2

 

I want that the CS, when catch username1 into Radius Access will redirect this packet to server 10.0.1.1 and so on (based on the string map)

 

thanks!

Link to comment
Share on other sites

Hi!

 

First i never used string maps.  In your case if you want to match only the first part  i don't think you need string maps.

You could have a cs policy for every match you want and direct the request to a different lb vserver.

I 've used pattern sets. But if you only match 1 username per policy you don't need it.

 

 

you would have a policy like this:

 

add cs policy cs_test_pol -rule "CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).EQ(\"username1\")"

bind cs vserver cs-test -policyName cs_CATCH_USERNAME -targetLBVserver lb-another-radius -priority 5

 

you could have many polcies and lb's like this. Each one for a different string/username

 

 

if there is no match it will go to the default lb:

 

bind cs vserver cs-test -lbvserver lb-default

 

 

 

 

 

 

Link to comment
Share on other sites

you could have a pattern set with those 100 entries then , if they should be directed to the same server.

 

 

add policy patset radius_dataset

bind policy patset radius_dataset  "username1" -index 10

bind policy patset radius_dataset  "username2" -index 20

.....

 

I never used string maps. But as far as i am see it is based on key and value.

you could try something like this:

 


add lb vserver lb_vs_one tcp
add lb vserver lb_vs_two tcp
add lb vserver lb_vs_three tcp


add policy stringmap IMEI_TEST_LIST
bind policy stringmap IMEI_TEST_LIST "username1" lb_vs_one
bind policy stringmap IMEI_TEST_LIST "username2" lb_vs_two
bind policy stringmap IMEI_TEST_LIST "username3" lb_vs_three


add cs action cs_act_CATCH_USERNAME -targetVserverExpr 'CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).MAP_STRING("IMEI_TEST_LIST")'
add cs policy cs_pol_CATCH_USERNAME -rule 'CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).IS_STRINGMAP_KEY("IMEI_TEST_LIST")' -action cs_act_CATCH_USERNAME

 

bind cs vserver cs-test -policyName cs_CATCH_USERNAME  -priority 5

 

 

Link to comment
Share on other sites

I started this example last week and never posted as i got busy.  See if this helps.

 

You can't load balance via string map. But you can put lb vserver names in the string map and let content switching, switch based on an expression based action which identifies the lb vserver name to switch to.

 

If you use your map with the keys being the username and the values being the name of the lb vserver for radius to use as a destination, then

you could use the cs expression based actions.  (You can also tweak the map to contain the radius server and we can parse it into the lb vserver name.)

 

In this case the "lb vservers" point to a single radius server.

# for the moment, lumping authe/accounting together

add service svc_radius1_authe x.x.x.1 radius *

add service svc_radius2_authe x.x.x.2 radius *

 

add lb vserver lb_vsrv_radius1 radius 0.0.0.0 0

bind lb vserver lb_vsrv_radius1 svc_radius1_authe

 

add lb vserver lb_vsrv_radius2 radius 0.0.0.0 0

bind lb vserver lb_vsrv_radius2 svc_radius2_authe

 

add cs vserver cs_vsrv_radius radius <VIP1> *

 

add policy stringmap map_radiususers

bind policy stringmap map_radiususers "user1" "lb_vsrv_radius1"

bind policy stringmap map_radiususers "user2" "lb_vsrv_radius2"

 

# the cs action type using the expression identifies the vserver name to direct traffic to.

add cs action cs_act_sendto_radius_bymap  -targetVserverExpr "CLIENT.UDP.RADIUS.USERNAME.BEFORE_REGEX(re#@#).MAP_STRING(\"map_radiususers\")"

# therfore if you give it a username, it should output the corresponding vserver.

 

The create cs policy and bind to the cs vserver.

 

 

Other ways, if you don't want to use the action to include the vserver name, have different maps for users for different radius server banks.

policy1 would then point to map1 with the user group for the first radius server

policy2 woudl the point to map2 with the user goups for the second radius server

And you could have different cs policies trigger based on whether your user account was in the map as a key or not.

(This way you could still send groups to a specific radius server.)

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...