Before starting configuring any Radius-related settings on your Netscaler, make sure the following is already done:

  1. Add your Netscaler SNIP (Subnet IP) as Radius client
    (This need to be done if you are hiding the Radius servers behind a load balancing or a Content switch virtual server due the traffic is sourced from the subnet IP on the Netscaler)
    Note! If you are configuring your Radius authentication vServer using a direct connection to a radius server, meaning, without any type of load balancing in front, the traffic will flow through the Netscaler IP (NSIP instead)
  2. To determine the health of your load balanced radius servers, we need to configure a proper monitor on our Netscaler that shows the actual state of the radius server functionality.
    To do this we need to define a radius user with static credentials (this will be configured on the monitor as well). Make sure this user don’t have any token assigned, we rather assign a static passcode to it. When you create the radius user make sure to use it to logon to the RSA console once, because you’ll be prompted to change the password during first logon.
  3. Let’s suppose we have two radius servers to configure:
    Radius Server 1: radius01.smali.net (192.168.5.50)
    Radius Server 2: radius02.smali.net (192.168.5.51)

Configuration on Netscaler via CLI

1. Logon to your Netscaler, navigate to (Traffic Management – Load Balancing – Servers) and add both servers…

ns_add_servers

 

 

 

 

 

 

 

 


ns_add_servers_01

 

 

 

 

 

 

 

 

 

 

 

2. Create the Radius monitor by navigating to (Traffic Management – Load Balancing – Monitors)

Enter the name of the monitor and change type to “Radius”. Make sure the response time-out have a higher value the 2 seconds. Use 4 to be sure due the response that Netscaler receives from the Radius servers could take longer time then 2 seconds in some cases.

ns_monitor_conf_01
 

 

 

 

 

ns_monitor_conf_02

 

 

 

 

On Special Parameters enter the User name and password of the Radius user you already defined on your RSA. In Response codes field, beside “2”, you may want to add “3”, which indicates “failure”. You’ll need the Radius key as well… and hit “Create”

ns_monitor_conf_03

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Create a load balancing service group (Traffic Management – Load Balancing – Service Groups)
Enter a name and Radius as Protocol and hit “OK”

lb_sg_radius_01

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Bind your radius servers as Service Group members and the monitor we just created..

lb_sg_radius

 

lb_sg_radius_mon

 

4. Now it’s time to create a Load Balancing virtual server that will be used as the radius authentication server on our Netscaler…
Navigate to (Traffic Management – Load Balancing – Virtual Servers) and click add…
Enter a name, protocol as “Radius”, the IP of the Load Balancing VIP and the used port (typically 1812 or 1645)

lbvs_sg_radius_01
 

 

 

Bind the service group we just created on previous step

 

lbvs_sg_radius_02

 

 

 

 

 

 

Add “Method” as “TOKEN” with the following expression UDP.RADIUS.USERNAME

lbvs_sg_radius_03

 

 

 

Add “Persistence” as “RULE”, and in the Expression field type: CLIENT.UDP.RADIUS.USERNAME (if it is not filled in automatically)

Hit “Done” and that should be it.