This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JaiPagare
Occasional Contributor
Occasional Contributor
‎2018-06-22 01:07 PM

RSA AM f5. Create VIP for AM

@Hello Al

 

I have a project to be submitted.

 

Here's the scenario.

I have 2 RSA Authentication Managers in Prod. Right now, our privilege access management is pointing to primary RSA AM, and when I am doing maintenance I have to manually switch RADIUS authentication to secondary. To overcome with this problem I am looking to create F5 VIP which will then point to both primary & secondary AM as failover.

 

I am little confused with few question and not sure about the answers

 

Virtual Server FQDN: rsa-prod.abc.om

Virtual IP Address: 20.20.20.1

Protocol: ? ------------------------

Service Port 1812 TCP.

Persistence (default & Fallback): ? ------------- Source_addr or Universal Persistance?

Monitor Type: ? ---------------------

Send String: -------------------------

Receive String: UP

Member server hostname: rsa1-prod.abc.com & rsa2-prod.abc.com

Member IP: 10.10.10.1 & 10.10.10.2

Service Port: 1812

Priority Group: Disabled

Load Balancing Method: Round Robin

 

If this has been accomplished in your environment would you help me fill the blanks please.

Virtual Server FQDN / URLVirtual IP AddressProtocolService Port (TCP) HTTPS RedirectPersistance (default & fallback)Montor TypeFreq. (Secs)TOut (secs)Send StringReceive StringUsernamePasswordMember Server (Hostname)Member IP AddressService PortPriority GroupLoad Balancing  MethodMonitor Failure Action
Labels (1)
Labels
0 Likes
Reply
9 Replies
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2018-06-22 01:21 PM

Jai Pagare‌,

 

Great question!  OK, RSA SecurID Access" data-type="space‌ community, can anyone help Jai out?

 

Regards,

Erica

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2018-06-22 02:10 PM

Doesn't your privilege access management System RADIUS configuration have a place for failover RADIUS server?  Typically you put primary in main URL and replica in Failover.  RADIUS does not have a load balance capability itself, but many vendor, e.g. Citrix, allow you to configure load balancing.  But basic RADIUS should allow a failover configuration entry

Reply
JaiPagare
Occasional Contributor
Occasional Contributor
In response to JayGuillette
‎2018-06-22 02:20 PM

Unfortunately, our Beyond Trust Privilege access management doesn't have option placed for failover RADIUS server.

 

Jay, so mean to say is.. I will be able to create F5 VIP, but it won't work, because RADIUS doesn't have a load balance capability?

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2018-06-22 02:20 PM

Cisco ASA has you create a server group for RADIUS, and Add RADIUS servers to it, while the Cisco ACS allows you to configure a primary and secondary or failover RADIUS Server 

CiscoACS_RADIUS.png 

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2018-06-22 02:22 PM

The F5 should work, you could configure it as either load balance or failover.  

Reply
SeanDoyle
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2018-06-22 02:27 PM

F5 LTM supports using it as a RADIUS load balancer.. 

 

https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf 

LTM 12 Radius load balancing datagram lb 

 

There are some tricks to it so consult the docs.. I'm not an expert.. I just know people have done it.

Reply
BenGarza
New Contributor
New Contributor
In response to JaiPagare
‎2019-12-06 06:51 PM

Jai,

 

Were you able to configure this?  I'm curious as I have the exact issue.  Please advise.

0 Likes
Reply
SGTech
Respected Contributor
Respected Contributor
In response to JaiPagare
‎2019-12-11 04:43 AM

Hi Jai pagare,

 

If I am not wrong BT released new patch that will allow you to configure secondary RADIUS, check with your BT vendor, I had one project implemented same as your environment.

0 Likes
Reply
RandyBelbin
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2019-12-12 04:09 PM

Hi Jai,

 

You'll want to use an iApp template from F5. F5 provides a pre-configured RADIUS iApp template.
https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf 

 

To get true monitoring, you'll need to provide an account that can perform an authentication against the RADIUS server (Authentication Manager) as a simple ping test may result in the F5 marking the server as active before all services have started. To set up a monitoring account, you'll need to configure an account in Authentication Manager with a "fixed passcode." Please be aware that a fixed passcode is a static secret with none of the benefits of 2FA. The normal service account management best practices should be applied. For example, rotating the fixed passcode, storing the fixed passcode securely, and restricting access that this service account has.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.