Jump to content
Welcome to our new Citrix community!

Radius Authentication HA


Recommended Posts

The radius lb vserver can be a non-public facing vip.

 

You can load balance your radius servers: 1 lb vserver for radius with two services to avoid single points of failure.  Or you can do an active/passive config with a backup lb vserver.

 

Example 1: lb two services...

Quick basic radius load balancing with 2 or more active services:

add service svc_rad1 radius <ip1> 1812

add service svc_rad2 radius <ip2> 1812

add lb vserver lb_vsrv_rad radius <VIP1> 1812 -lbmethod token 'radius.req.username' -persistencetype 'radius.req.username' -persistencetimeout 2

bind lb vserver lb_vsrv_rad svc_rad1

bind lb vserver lb_vsrv_rad svc_rad2

 

 

Example 2:  lb vserver with backup lb vserver.

Or you can use an lb vserver with one active service and a backup vserver with the second radius service that is only used if the primary is down.

add service svc_rad1 radius <ip1> 1812

add service svc_rad2 radius <ip2> 1812

add lb vserver lb_vsrv_rad_primary radius <VIP1> 1812 -lbmethod token 'radius.req.username' -persistencetype 'radius.req.username' -persistencetimeout 2

add lb vserver lb_vsrv_rad_backup radius    # NOTE this one can be non-addressable with no vip specified

# Create backup vserver:

bind lb vserver lb_vsrv_rad_backup svc_rad2

 

# Bind service to primary vserver and set backup vserver; backup vservers and their services are on in use when the current vserver/service is in a down state.

bind lb vserver lb_vsrv_rad_primary svc_rad1

set lb vserver lb_vsrv_rad_primary -backupvserver lb_vsrv_rad_backup

 

In this second example all traffic to lb_vsrv_rad_primary on VIP1:1812 will go to svc_rad1 only until it is down and then traffic going to lb_vsrv_rad_primary will be handled by the designated backup vserver lb_vsrv_rad_backup and it service svc_rad2.

 

 

 

 

Link to comment
Share on other sites

On 8/16/2022 at 7:47 PM, Rhonda Rowland1709152125 said:

The radius lb vserver can be a non-public facing vip.

 

You can load balance your radius servers: 1 lb vserver for radius with two services to avoid single points of failure.  Or you can do an active/passive config with a backup lb vserver.

 

Example 1: lb two services...

Quick basic radius load balancing with 2 or more active services:

add service svc_rad1 radius <ip1> 1812

add service svc_rad2 radius <ip2> 1812

add lb vserver lb_vsrv_rad radius <VIP1> 1812 -lbmethod token 'radius.req.username' -persistencetype 'radius.req.username' -persistencetimeout 2

bind lb vserver lb_vsrv_rad svc_rad1

bind lb vserver lb_vsrv_rad svc_rad2

 

 

Example 2:  lb vserver with backup lb vserver.

Or you can use an lb vserver with one active service and a backup vserver with the second radius service that is only used if the primary is down.

add service svc_rad1 radius <ip1> 1812

add service svc_rad2 radius <ip2> 1812

add lb vserver lb_vsrv_rad_primary radius <VIP1> 1812 -lbmethod token 'radius.req.username' -persistencetype 'radius.req.username' -persistencetimeout 2

add lb vserver lb_vsrv_rad_backup radius    # NOTE this one can be non-addressable with no vip specified

# Create backup vserver:

bind lb vserver lb_vsrv_rad_backup svc_rad2

 

# Bind service to primary vserver and set backup vserver; backup vservers and their services are on in use when the current vserver/service is in a down state.

bind lb vserver lb_vsrv_rad_primary svc_rad1

set lb vserver lb_vsrv_rad_primary -backupvserver lb_vsrv_rad_backup

 

In this second example all traffic to lb_vsrv_rad_primary on VIP1:1812 will go to svc_rad1 only until it is down and then traffic going to lb_vsrv_rad_primary will be handled by the designated backup vserver lb_vsrv_rad_backup and it service svc_rad2.

 

On 8/16/2022 at 7:47 PM, Rhonda Rowland1709152125 said:

 

 

 

 

My one question would be once this is set up,  how do i bind this authentication type to my virtual server under Citrix Gateway.  I still use the gui at this time ?   Currently I added Radius under Basic Authentication

 

I did get the following error when trying to create the lb virtual server. 

 

 add lb vserver lb_vsrv_rad radius 10.110.6.85 1814 -lbmethod token 'radius.req.username' -persistencetype 'radius.req.username' -persistencetimeout 2
                                                                                                            ^^^^^^^^^^^^^^^^^^^
ERROR: Invalid argument value [radius.req.username]

 

Link to comment
Share on other sites

1) Gateway authentication policies either use classic authentication policies only OR Advanced authentication policies by integrating with an authentication vserver.

The ldap authentication policy can be classic if binding to the gateway directly.

An advanced ldap authenticaiton policy can only be bound to an authentication vserver and then you integrate the gateway with the authentication vserver.

 

 

2) However, the lb vserver used by the authentication policy can be either based on classic or advanced engine regardless unless you have a really old build.

either I flubbed the syntax and its just wrong or you are on an older build and the legacy syntax is needed. (UPDATE I flubbed the advanced expression)

(Point being, the lb method should support the advanced syntax regardless of gateway, but older firmware may not support this exact one.).

 

Correct expression:

So proper ADV syntax for lb vserver token/persistence is:  RADIUS.REQ.USER_NAME  (with an underscore)

Legacy ADV would be:  client.UDP.RADIUS.USERNAME

 

And again, the authentication policy can point to an load balancing vserver using the advanced engine expressions even if the gateway is still classic engine.

Getting the authentication policy expression from classic to advanced, requires an authentication vserver. But isn't necessarily the issue with load balancing above.

 

Hopefully this fixes the lb now.

 

Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...