AnsweredAssumed Answered

RSA AM f5. Create VIP for AM

Question asked by Jai Pagare on Jun 22, 2018
Latest reply on Dec 12, 2019 by Randy Belbin

Like • Show 0 Likes0
Comment • 9

@Hello Al

I have a project to be submitted.

Here's the scenario.

I have 2 RSA Authentication Managers in Prod. Right now, our privilege access management is pointing to primary RSA AM, and when I am doing maintenance I have to manually switch RADIUS authentication to secondary. To overcome with this problem I am looking to create F5 VIP which will then point to both primary & secondary AM as failover.

I am little confused with few question and not sure about the answers

Virtual Server FQDN: rsa-prod.abc.om

Virtual IP Address: 20.20.20.1

Protocol: ? ------------------------

Service Port 1812 TCP.

Persistence (default & Fallback): ? ------------- Source_addr or Universal Persistance?

Monitor Type: ? ---------------------

Send String: -------------------------

Receive String: UP

Member server hostname: rsa1-prod.abc.com & rsa2-prod.abc.com

Member IP: 10.10.10.1 & 10.10.10.2

Service Port: 1812

Priority Group: Disabled

Load Balancing Method: Round Robin

If this has been accomplished in your environment would you help me fill the blanks please.

Virtual Server FQDN / URL

Virtual IP Address

Protocol

Service Port (TCP)

HTTPS Redirect

Persistance (default & fallback)

Montor Type

Freq. (Secs)

TOut (secs)

Send String

Receive String

Username

Password

Member Server (Hostname)

Member IP Address

Service Port

Priority Group

Load Balancing Method

Monitor Failure Action

No one else has this question

Outcomes

Erica Chalfin

Jun 22, 2018 1:21 PM

Jai Pagare,

Great question! OK, RSA SecurID Access community, can anyone help Jai out?

Regards,

Erica

Actions

Jay Guillette

Jun 22, 2018 2:10 PM

Doesn't your privilege access management System RADIUS configuration have a place for failover RADIUS server? Typically you put primary in main URL and replica in Failover. RADIUS does not have a load balance capability itself, but many vendor, e.g. Citrix, allow you to configure load balancing. But basic RADIUS should allow a failover configuration entry

1 person found this helpful

Actions

Jai Pagare @ Jay Guillette on Jun 22, 2018 2:20 PM

Unfortunately, our Beyond Trust Privilege access management doesn't have option placed for failover RADIUS server.

Jay, so mean to say is.. I will be able to create F5 VIP, but it won't work, because RADIUS doesn't have a load balance capability?

Actions

Ben Garza @ Jai Pagare on Dec 6, 2019 6:51 PM

Jai,

Were you able to configure this? I'm curious as I have the exact issue. Please advise.

Actions

SG Tech @ Jai Pagare on Dec 11, 2019 4:43 AM

Hi Jai pagare,

If I am not wrong BT released new patch that will allow you to configure secondary RADIUS, check with your BT vendor, I had one project implemented same as your environment.

Actions

Jay Guillette

@ Jay Guillette on Jun 22, 2018 2:20 PM

Cisco ASA has you create a server group for RADIUS, and Add RADIUS servers to it, while the Cisco ACS allows you to configure a primary and secondary or failover RADIUS Server

Actions

Jay Guillette

@ Jay Guillette on Jun 22, 2018 2:22 PM

The F5 should work, you could configure it as either load balance or failover.

Actions

Sean Doyle

Jun 22, 2018 2:27 PM

F5 LTM supports using it as a RADIUS load balancer..

https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf

LTM 12 Radius load balancing datagram lb

There are some tricks to it so consult the docs.. I'm not an expert.. I just know people have done it.

Actions

Randy Belbin

Dec 12, 2019 4:10 PM

Hi Jai,

You'll want to use an iApp template from F5. F5 provides a pre-configured RADIUS iApp template.
https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf

To get true monitoring, you'll need to provide an account that can perform an authentication against the RADIUS server (Authentication Manager) as a simple ping test may result in the F5 marking the server as active before all services have started. To set up a monitoring account, you'll need to configure an account in Authentication Manager with a "fixed passcode." Please be aware that a fixed passcode is a static secret with none of the benefits of 2FA. The normal service account management best practices should be applied. For example, rotating the fixed passcode, storing the fixed passcode securely, and restricting access that this service account has.

Actions

9 Replies

Erica Chalfin Jun 22, 2018 1:21 PM
Mark Correct
Correct Answer
Jai Pagare,

Great question! OK, RSA SecurID Access community, can anyone help Jai out?

Regards,
Erica
Like • Show 1 Like1
Actions
Jay Guillette Jun 22, 2018 2:10 PM
Mark Correct
Correct Answer
Doesn't your privilege access management System RADIUS configuration have a place for failover RADIUS server? Typically you put primary in main URL and replica in Failover. RADIUS does not have a load balance capability itself, but many vendor, e.g. Citrix, allow you to configure load balancing. But basic RADIUS should allow a failover configuration entry
1 person found this helpful
Like • Show 1 Like1
Actions
- Jai Pagare @ Jay Guillette on Jun 22, 2018 2:20 PM
  Mark Correct
  Correct Answer
  Unfortunately, our Beyond Trust Privilege access management doesn't have option placed for failover RADIUS server.
  
  Jay, so mean to say is.. I will be able to create F5 VIP, but it won't work, because RADIUS doesn't have a load balance capability?
  Like • Show 1 Like1
  Actions
  - Ben Garza @ Jai Pagare on Dec 6, 2019 6:51 PM
    Mark Correct
    Correct Answer
    Jai,
    
    Were you able to configure this? I'm curious as I have the exact issue. Please advise.
    Like • Show 0 Likes0
    Actions
  - SG Tech @ Jai Pagare on Dec 11, 2019 4:43 AM
    Mark Correct
    Correct Answer
    Hi Jai pagare,
    
    If I am not wrong BT released new patch that will allow you to configure secondary RADIUS, check with your BT vendor, I had one project implemented same as your environment.
    Like • Show 0 Likes0
    Actions
- Jay Guillette @ Jay Guillette on Jun 22, 2018 2:20 PM
  Mark Correct
  Correct Answer
  Cisco ASA has you create a server group for RADIUS, and Add RADIUS servers to it, while the Cisco ACS allows you to configure a primary and secondary or failover RADIUS Server
  Like • Show 1 Like1
  Actions
  - Jay Guillette @ Jay Guillette on Jun 22, 2018 2:22 PM
    Mark Correct
    Correct Answer
    The F5 should work, you could configure it as either load balance or failover.
    Like • Show 2 Likes2
    Actions
Sean Doyle Jun 22, 2018 2:27 PM
Mark Correct
Correct Answer
F5 LTM supports using it as a RADIUS load balancer..

https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf
LTM 12 Radius load balancing datagram lb

There are some tricks to it so consult the docs.. I'm not an expert.. I just know people have done it.
Like • Show 2 Likes2
Actions
Randy Belbin Dec 12, 2019 4:10 PM
Mark Correct
Correct Answer
Hi Jai,

You'll want to use an iApp template from F5. F5 provides a pre-configured RADIUS iApp template.
https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf

To get true monitoring, you'll need to provide an account that can perform an authentication against the RADIUS server (Authentication Manager) as a simple ping test may result in the F5 marking the server as active before all services have started. To set up a monitoring account, you'll need to configure an account in Authentication Manager with a "fixed passcode." Please be aware that a fixed passcode is a static secret with none of the benefits of 2FA. The normal service account management best practices should be applied. For example, rotating the fixed passcode, storing the fixed passcode securely, and restricting access that this service account has.
Like • Show 0 Likes0
Actions