RADIUS Client Authentication Flow
Hello SecurID experts,
We have integrated our Citrix Gateway with RSA for RADIUS authentication. The Netscaler HA pair has a floating IP which is configured as a RADIUS client in Authentication Manager. We have also configured the local Netscaler IPs as RADIUS clients in AM. From the best I can tell, the RADIUS requests are sent using the floating IP, but RSA sends responses back to the local IP of the individual Netscaler. Can anyone confirm if that's how it's supposed to flow? If so, do I still need to keep the local Netscaler IPs configured as RADIUS clients? Or can I simply having the RADIUS client based on the shared IP?
We are getting ready to integrate our Citrix Gateway into SecurID cloud and I am trying to clear up some confusion about the RADIUS flow.
Also: Is there any detailed documentation or flow charts out there about how RADIUS works with both on-prem Authentication Manager and SecurID cloud?
Thanks in advance for any help you great folks can provide!
The answer to your question depends on the source address of the radius authentication request packet. I think you will find the it's the actual address of your NetScaler's. Not the VIP address.
The best way to determine what address is being used as the source address is to run a TCP Dump from the AM server CLI. You can do the following after logging in to the CLI:
sudo su root
tcpdump -i eth0 -s 1514 -Z root port 1812 (or 1645 if your NetScaler is configured for it)
This will output to the screen. Run an authentication test and look at the source and destination addresses of the RADIUS packets.
I appreciate your reply Frank. I did look at the tcpdump as you suggested and all I could see were requests coming from the shared/floating IP between the Netscaler pair.
Afterwards, I enabled debugging for RADIUS on Authentication Manager and found some interesting details.
What it shows by tailing the radius log:
Authentication Requests originate from (floating/shared IP of Netscaler pair)
Then it looks for NAS-IP (local, individual Netscaler IP), and changes RAS client name to that of the local Netscaler IP.
Sends Accept Response to that local IP (also identified as the NAS-IP)