This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
KeithGiles
Frequent Contributor
Frequent Contributor
‎2022-11-15 05:01 PM

RADIUS Client Authentication Flow

Hello SecurID experts,

We have integrated our Citrix Gateway with RSA for RADIUS authentication. The Netscaler HA pair has a floating IP which is configured as a RADIUS client in Authentication Manager. We have also configured the local Netscaler IPs as RADIUS clients in AM. From the best I can tell, the RADIUS requests are sent using the floating IP, but RSA sends responses back to the local IP of the individual Netscaler. Can anyone confirm if that's how it's supposed to flow? If so, do I still need to keep the local Netscaler IPs configured as RADIUS clients? Or can I simply having the RADIUS client based on the shared IP? 

We are getting ready to integrate our Citrix Gateway into SecurID cloud and I am trying to clear up some confusion about the RADIUS flow.

Also: Is there any detailed documentation or flow charts out there about how RADIUS works with both on-prem Authentication Manager and SecurID cloud?

Thanks in advance for any help you great folks can provide!

KG

 

 

Reply
2 Replies
FrankMiller
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2022-11-16 10:23 AM

Hello Keith;

  The answer to your question depends on the source address of the radius authentication request packet. I think you will find the it's the actual address of your NetScaler's. Not the VIP address.

The best way to determine what address is being used as the source address is to run a TCP Dump from the AM server CLI. You can do the following after logging in to the CLI: 

sudo su root
tcpdump -i eth0 -s 1514 -Z root port 1812 (or 1645 if your NetScaler is configured for it)

This will output to the screen. Run an authentication test and look at the source and destination addresses of the RADIUS packets.

 

Frank

 

Reply
KeithGiles
Frequent Contributor
Frequent Contributor
In response to FrankMiller
‎2022-11-16 01:09 PM

I appreciate your reply Frank. I did look at the tcpdump as you suggested and all I could see were requests coming from the shared/floating IP between the Netscaler pair. 

Afterwards, I enabled debugging for RADIUS on Authentication Manager and found some interesting details.

What it shows by tailing the radius log: 

Authentication Requests originate from (floating/shared IP of Netscaler pair)
Then it looks for NAS-IP (local, individual Netscaler IP), and changes RAS client name to that of the local Netscaler IP.
Sends Accept Response to that local IP (also identified as the NAS-IP)

 

 

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.