free radius behind a load balancer?
Nathan Ward
lists+freeradius at daork.net
Thu Jan 14 22:27:12 CET 2021
> On 15/01/2021, at 5:25 AM, Coy Hile <coy.hile at coyhile.com> wrote:
>
>> On Jan 14, 2021, at 10:45 AM, Joseph Nordone via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> Yes, free-radius works great behind load-balancers. We have multiple clusters behind f5 load balancers. I would look at setting up a two-arm load balancer so that the originating IP address of the client is presented to the radius server. Outside of that, it won’t modify or change any attribute of the packet itself.
>>
>
> How do you mean? What specific things did you have to do for that to happen? (What I’ve seen is the NATed IP come through as the Packet-Src-IP-Address, rather than the machine from whence I was testing.)
Packet-Src-IP-Address is the source IP of the packet as received by the RADIUS server - F5 (or other LB) doesn’t insert that, it’s not like X-Forwarded-For in HTTP land.
You can disable SNAT in the F5 config to avoid that - the F5 has to be in the IP return path for that traffic from the client though - usually that means it’s the default gateway but of course there are more complicated environments where that’s not the case :-)
--
Nathan Ward
More information about the Freeradius-Users
mailing list