AnsweredAssumed Answered

RSA AM f5. Create VIP for AM

Question asked by Jai Pagare on Jun 22, 2018
Latest reply on Jun 22, 2018 by Sean Doyle

Like • Show 0 Likes0
Comment • 6

@Hello Al

I have a project to be submitted.

Here's the scenario.

I have 2 RSA Authentication Managers in Prod. Right now, our privilege access management is pointing to primary RSA AM, and when I am doing maintenance I have to manually switch RADIUS authentication to secondary. To overcome with this problem I am looking to create F5 VIP which will then point to both primary & secondary AM as failover.

I am little confused with few question and not sure about the answers

Virtual Server FQDN: rsa-prod.abc.om

Virtual IP Address: 20.20.20.1

Protocol: ? ------------------------

Service Port 1812 TCP.

Persistence (default & Fallback): ? ------------- Source_addr or Universal Persistance?

Monitor Type: ? ---------------------

Send String: -------------------------

Receive String: UP

Member server hostname: rsa1-prod.abc.com & rsa2-prod.abc.com

Member IP: 10.10.10.1 & 10.10.10.2

Service Port: 1812

Priority Group: Disabled

Load Balancing Method: Round Robin

If this has been accomplished in your environment would you help me fill the blanks please.

Virtual Server FQDN / URL

Virtual IP Address

Protocol

Service Port (TCP)

HTTPS Redirect

Persistance (default & fallback)

Montor Type

Freq. (Secs)

TOut (secs)

Send String

Receive String

Username

Password

Member Server (Hostname)

Member IP Address

Service Port

Priority Group

Load Balancing Method

Monitor Failure Action

No one else has this question

Outcomes

Erica Chalfin

Jun 22, 2018 1:21 PM

Jai Pagare,

Great question! OK, RSA SecurID Access community, can anyone help Jai out?

Regards,

Erica

Actions

Jay Guillette

Jun 22, 2018 2:10 PM

Doesn't your privilege access management System RADIUS configuration have a place for failover RADIUS server? Typically you put primary in main URL and replica in Failover. RADIUS does not have a load balance capability itself, but many vendor, e.g. Citrix, allow you to configure load balancing. But basic RADIUS should allow a failover configuration entry

Actions

Jai Pagare @ Jay Guillette on Jun 22, 2018 2:20 PM

Unfortunately, our Beyond Trust Privilege access management doesn't have option placed for failover RADIUS server.

Jay, so mean to say is.. I will be able to create F5 VIP, but it won't work, because RADIUS doesn't have a load balance capability?

Actions

Jay Guillette

@ Jay Guillette on Jun 22, 2018 2:20 PM

Cisco ASA has you create a server group for RADIUS, and Add RADIUS servers to it, while the Cisco ACS allows you to configure a primary and secondary or failover RADIUS Server

Actions

Jay Guillette

@ Jay Guillette on Jun 22, 2018 2:22 PM

The F5 should work, you could configure it as either load balance or failover.

Actions

Sean Doyle

Jun 22, 2018 2:27 PM

F5 LTM supports using it as a RADIUS load balancer..

https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf

LTM 12 Radius load balancing datagram lb

There are some tricks to it so consult the docs.. I'm not an expert.. I just know people have done it.

Actions

6 Replies

Erica Chalfin Jun 22, 2018 1:21 PM
Mark Correct
Correct Answer
Jai Pagare,

Great question! OK, RSA SecurID Access community, can anyone help Jai out?

Regards,
Erica
Like • Show 1 Like1
Actions
Jay Guillette Jun 22, 2018 2:10 PM
Mark Correct
Correct Answer
Doesn't your privilege access management System RADIUS configuration have a place for failover RADIUS server? Typically you put primary in main URL and replica in Failover. RADIUS does not have a load balance capability itself, but many vendor, e.g. Citrix, allow you to configure load balancing. But basic RADIUS should allow a failover configuration entry
Like • Show 1 Like1
Actions
- Jai Pagare @ Jay Guillette on Jun 22, 2018 2:20 PM
  Mark Correct
  Correct Answer
  Unfortunately, our Beyond Trust Privilege access management doesn't have option placed for failover RADIUS server.
  
  Jay, so mean to say is.. I will be able to create F5 VIP, but it won't work, because RADIUS doesn't have a load balance capability?
  Like • Show 1 Like1
  Actions
- Jay Guillette @ Jay Guillette on Jun 22, 2018 2:20 PM
  Mark Correct
  Correct Answer
  Cisco ASA has you create a server group for RADIUS, and Add RADIUS servers to it, while the Cisco ACS allows you to configure a primary and secondary or failover RADIUS Server
  Like • Show 1 Like1
  Actions
  - Jay Guillette @ Jay Guillette on Jun 22, 2018 2:22 PM
    Mark Correct
    Correct Answer
    The F5 should work, you could configure it as either load balance or failover.
    Like • Show 2 Likes2
    Actions
Sean Doyle Jun 22, 2018 2:27 PM
Mark Correct
Correct Answer
F5 LTM supports using it as a RADIUS load balancer..

https://www.f5.com/pdf/deployment-guides/iapp-radius-dg.pdf
LTM 12 Radius load balancing datagram lb

There are some tricks to it so consult the docs.. I'm not an expert.. I just know people have done it.
Like • Show 2 Likes2
Actions

RSA AM f5. Create VIP for AM

Outcomes

Related Content

Recommended Content