Before starting configuring any Radius-related settings on your Netscaler, make sure the following is already done:
- Add your Netscaler SNIP (Subnet IP) as Radius client
(This need to be done if you are hiding the Radius servers behind a load balancing or a Content switch virtual server due the traffic is sourced from the subnet IP on the Netscaler)
Note! If you are configuring your Radius authentication vServer using a direct connection to a radius server, meaning, without any type of load balancing in front, the traffic will flow through the Netscaler IP (NSIP instead) - To determine the health of your load balanced radius servers, we need to configure a proper monitor on our Netscaler that shows the actual state of the radius server functionality.
To do this we need to define a radius user with static credentials (this will be configured on the monitor as well). Make sure this user don’t have any token assigned, we rather assign a static passcode to it. When you create the radius user make sure to use it to logon to the RSA console once, because you’ll be prompted to change the password during first logon. - Let’s suppose we have two radius servers to configure:
Radius Server 1: radius01.smali.net (192.168.5.50)
Radius Server 2: radius02.smali.net (192.168.5.51)
Configuration on Netscaler via CLI
1. Logon to your Netscaler, navigate to (Traffic Management – Load Balancing – Servers) and add both servers…
2. Create the Radius monitor by navigating to (Traffic Management – Load Balancing – Monitors)
Enter the name of the monitor and change type to “Radius”. Make sure the response time-out have a higher value the 2 seconds. Use 4 to be sure due the response that Netscaler receives from the Radius servers could take longer time then 2 seconds in some cases.
On Special Parameters enter the User name and password of the Radius user you already defined on your RSA. In Response codes field, beside “2”, you may want to add “3”, which indicates “failure”. You’ll need the Radius key as well… and hit “Create”
3. Create a load balancing service group (Traffic Management – Load Balancing – Service Groups)
Enter a name and Radius as Protocol and hit “OK”
Bind your radius servers as Service Group members and the monitor we just created..
4. Now it’s time to create a Load Balancing virtual server that will be used as the radius authentication server on our Netscaler…
Navigate to (Traffic Management – Load Balancing – Virtual Servers) and click add…
Enter a name, protocol as “Radius”, the IP of the Load Balancing VIP and the used port (typically 1812 or 1645)
Bind the service group we just created on previous step
Add “Method” as “TOKEN” with the following expression UDP.RADIUS.USERNAME
(If you are using Netscaler firmware 12 and above use the following expression: CLIENT.UDP.RADIUS.USERNAME
Add “Persistence” as “RULE”, and in the Expression field type: CLIENT.UDP.RADIUS.USERNAME (if it is not filled in automatically)
and leave the Response expressen empty
Hit “Done” and that should be it.