Jump to content
Welcome to our new Citrix community!

Strange issue with Radius Servers


Roy Smith

Recommended Posts

Hi

 

I have a VPX cluster running NS12.1 49.37NC. I am setting up Radius authentication servers and have a strange issue, which I'm hoping someone can help with.

 

I have configured 2 Radius Authentication servers, Server1 and Server2, under Authentication --> Basic Policies --> RADIUS. They are both on different subnets, as they are located at different sites. From VPX, I can ping both servers, so connectivity is there. When I do a Test Connection for Server1, it is successful but Server2 is not. I see both requests being received by both radius servers, so the request gets through fine. 

 

Now the strange thing is, if I failover VPX, both Radius test connections fail. If I fail back, it works as above, i.e. Server1 succeeds but Server2 fails. So, if VPX Node 0 is the Configuration Coordinator, Server1 succeeds but if VPX node 1 is the coordinator it fails. What is going on? 

 

While it is possible that I have an issue with Server 2, which I am investigating, why does Server1 only work via one VPX node?

 

I have gone through the network configuration, routing, IPs and Vlans and cannot see anything out of the ordinary. 

 

Any help would be much appreciated.

 

Thanks

Roy

Link to comment
Share on other sites

If you have specified the Radius servers directly in your Radius Actions on Netscaler, then Netscaler will use NSIP as the sourceIP when sending Radius traffic to the servers. If you have specified the IP of a LB vServer in your Radius Action, then Netscaler will use SNIP as SourceIP.

 

My guess is that you're not using a LB vServer and you have only specified the NSIP of Netscaler node #1 in your internal firewall and/or in the radius configuration on your radius servers. When you failover to Netscaler node #2, a different NSIP is used.

Link to comment
Share on other sites

All I'm trying to do at the moment is get the direct connection to the 2 radius servers set up and working from the cluster. I don't have a LB vserver set up for them yet. The radius server is configured with 2 radius clients, 1 for each NSIP. I have reset and recreated the radius keys and clients several times, ensuring the keys are identical, with no success. 

Link to comment
Share on other sites

You can run https://www.nirsoft.net/utils/smsniff.html (packet sniffer) on your radius server and see if there are any incoming requests to the radius server on port 1812. If you see requests from vpx node 1 (the one that doesn't work) then your firewall is allowing the traffic and then you need to check the radius logs on the radius server itself (wrong secret key or sourceIP perhaps).

Link to comment
Share on other sites

I'm afraid I never have a lot of success with aaad.debug.

 

Running cat /tmp/aaad.debug gives me nothing. All I see are lines with "timer firing" repeating every 10 secs or so.

 

Fri Jan 31 16:01:26 2020
 /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[684]: main 0-0: timer 2 firing...
Fri Jan 31 16:01:36 2020
 /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[684]: main 0-0: timer 1 firing...
Fri Jan 31 16:01:36 2020
 /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[684]: main 0-0: timer 2 firing...
Fri Jan 31 16:01:46 2020
 /home/build/rs_121_49_14_RTM/usr.src/netscaler/aaad/naaad.c[684]: main 0-0: timer 2 firing...
Fri Jan 31 16:01:56 2020
 

 

There are no message when I do the "Test connection". The only time I see anything when running cat aaad.debug, is when I login to the Netscaler GUI with an AD account. Even when I do a test connection for the LDAP servers, I see nothing, even though those tests are fine. 

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...