Product documentation
Citrix ADC
Current Release 13.0 12.1 11.1
View PDF

Configure RADIUS load balancing with persistence

September 14, 2021
反对tributed by:
S C

Today’s complex networking environment often requires coordinating a high-volume, high-capacity load balancing configuration with robust authentication and authorization. Application users might connect to a VPN through mobile access points such as consumer-grade DSL or Cable connections, WiFi, or even dial-up nodes. Those connections usually use dynamic IPs, which can change during the connection.

If you configure RADIUS load balancing on the Citrix ADC appliance to support persistent client connections to RADIUS authentication servers, the appliance uses the user logon or the specified RADIUS attribute instead of the client IP as the session ID, directing all connections and records associated with that user session to the same RADIUS server. Users are therefore able to log on to your VPN from mobile access locations without experiencing disconnections when the client IP or WiFi access point changes.

To configure RADIUS load balancing with persistence, you must first configure RADIUS authentication for your VPN. For information and instructions, see the Authentication, Authorization, Auditing (AAA) chapter inAAA Application Traffic. Also choose either the Load Balancing or Content Switching feature as the basis for your configuration, and make sure that the feature you chose is enabled. The configuration process with either feature is almost the same.

Then, you configure either two load balancing, or two content switching, virtual servers, one to handle RADIUS authentication traffic and the other to handle RADIUS accounting traffic. Next, you configure two services, one for each load balancing virtual server, and bind each load balancing virtual server to its service. Finally, you create a load balancing persistency group and set the persistency type to RULE.

Enabling the Load Balancing or Content Switching Feature

To use the Load Balancing or Content Switching feature, you must first ensure that the feature is enabled. If you are configuring a new Citrix ADC appliance that has not previously been configured, both of these features are already enabled, so you can skip to the next section. If you are configuring a Citrix ADC appliance with a previous configuration on it, and you are not certain that the feature you use is enabled, you must do that now.

Configuring Virtual Servers

After enabling the load balancing or content switching feature, you must next configure two virtual servers to support RADIUS authentication:

  • RADIUS authentication virtual server.This virtual server and its associated service handles authentication traffic to your RADIUS server. Authentication traffic consists of connections associated with users logging onto your protected application or virtual private network (VPN).
  • RADIUS accounting virtual server.This virtual server and its associated service handles accounting connections to your RADIUS server. Accounting traffic consists of connections that track an authenticated user’s activities on your protected application or VPN.

Important:您必须创建两个负载平衡virtual servers or a pair of content switching virtual servers to use in your RADIUS persistence configuration. You cannot mix virtual server types.

To configure a load balancing virtual server by using the command line interface

At the command prompt type the following commands to create a load balancing virtual server and verify the configuration:

add lb vserver  RADIUS   -lbmethod TOKEN -rule  show lb vserver

To configure an existing load balancing virtual server, replace the precedingadd lb virtual servercommand with theset lb vservercommand, which takes the same arguments.

To configure a content switching virtual server by using the command line interface

At the command prompt type the following commands to create a content switching virtual server and verify the configuration:

add cs vserver  RADIUS   -lbmethod TOKEN -rule  show cs vserver

To configure an existing content switching virtual server, replace the precedingadd cs vservercommand with theset cs vservercommand, which takes the same arguments.

Example:

add lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME add lb vserver radius_acct_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME set lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME set lb vserver radius_auth_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME

To configure a load balancing or content switching virtual server by using the configuration utility

Navigate toTraffic Management > Load Balancing > Virtual Serversor navigate toTraffic Management > Content Switching > Virtual Servers», and configure a virtual server.

Configuring Services

After configuring your virtual servers, you must next configure two services, one for each of the virtual servers that you created.

Note: Once configured, these services are in the DISABLED state until the Citrix ADC appliance can connect to your RADIUS server’s authentication and accounting IPs and monitor their status. For instructions, seeConfiguring Services.

Binding Virtual Servers to Services

After configuring your services, you must next bind each of the virtual servers that you created to the appropriate service.For instructions, seeBinding Services to the Virtual Server.

Configuring a Persistency Group for Radius

在绑定你的负载均衡虚拟服务器to the corresponding services, you must set up your RADIUS load balancing configuration to support persistence. To do so, you configure a load balancing persistency group that contains your RADIUS load balancing virtual servers and services, and configure that load balancing persistency group to use rule-based persistence. A persistency group is required because the authentication and accounting virtual servers are different and both the authentication & accounting message for a single user should reach the same RADIUS server. Persistency group enables to use the same session for both virtual servers. For instructions, seeConfiguring Persistence Groups.

Configuring RADIUS Shared Secret

From release 12.0, a Citrix ADC appliance supports RADIUS shared secret. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and on the server. Transactions between a RADIUS client and server are authenticated by using a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.

RADIUS shared secret key validation scenarios

The validation of theRADIUS shared secretkey happens in the following scenarios:

  • RADIUS shared secret key is configured for both the radius client and the radius server:The Citrix ADC appliance uses the RADIUS secret key for both the client side and the server side. If the verification succeeds, the appliance allows the RADIUS message to go through. Otherwise, it drops the RADIUS message.
  • RADIUS shared secret key is not configured for either the radius client or the radius server:The Citrix ADC appliance drops the RADIUS message, because shared-secret-key validation cannot be performed on a node that has no radkey configured.
  • RADIUS shared secret key is not configured for both the RADIUS client and the RADIUS server:The Citrix ADC appliance bypasses the RADIUS secret key validation and allows the RADIUS messages to go through.

You can configure a default RADIUS shared secret or configure on a per client or a subnet basis. It is recommended to add a RADIUS shared secret key for all deployments with RADIUS policy configured. The appliance uses the source IP address of the RADIUS packet to decide which shared secret to use. You might configure a RADIUS client and server and the corresponding shared secret as follows:

At the CLI prompt, type:

add radiusNode  -radKey

Arguments

IPaddress

IP address or subnet of the RADIUS client in CIDR format. The appliance uses the source IP address of an incoming request packet to match the client IP address. Instead of configuring a client IP address, you can configure the client network address. Longest prefix is matched to identify the shared secret for an incoming client request.

Radkey

Shared secret between the client, Citrix ADC appliance, and the server. Maximum length: 31.

add lb vserver radius_auth_vs1 RADIUS 192.168.46.33 1812 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME add lb vserver radius_acct_vs1 RADIUS 192.168.46.34 1813 -lbmethod TOKEN -rule CLIENT.UDP.RADIUS.USERNAME add service radius_auth_service1 192.168.41.68 RADIUS 1812 add service radius_acct_service1 192.168.41.70 RADIUS 1813 bind lb vserver radius_auth_vs1 radius_auth_service1 bind lb vserver radius_acct_vs1 radius_acct_service[1-3] add radiusNode 192.168.41.0/24 -radKey serverkey123 add radiusNode 203.0.113.0/24 -radkey clientkey123

A shared secret must be configured both for a RADIUS client and server. The command is the same. The subnet determines whether the shared secret is for a client or for a server.

例如,如果是客户指定的子网ubnet, the shared secret is for the client. If the subnet specified is a server subnet (192.168.41.0/24 in the earlier example), the shared secret is for the server.

A subnet of 0.0.0.0/0 implies that it is the default shared secret for all clients and servers.

Note:

Only the PAP and CHAP authentication methods are supported with RADIUS shared secret.

Configure RADIUS load balancing with persistence
September 14, 2021
反对tributed by:
S C
September 14, 2021
反对tributed by:
S C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | 反对sent settings
© 1999-Citrix Systems, Inc. All rights reserved.