Configure RSA RADIUS monitoring on NetScaler

Ok, so this one is pretty easy and speaks for itself for the most part but can have some pitfalls while configuring.

In this example we are going to assume that the RSA backend is already in place and functioning properly.

Why

A good question is why would you want to. When you leave the monitoring to default which would be tcp-default it marks the server up as it response to a tcp connection. That would simply not be enough, we need to make sure that the RSA RADIUS Service is actually up and ready to accept connections.

Prerequisites

Make sure you have an account configured in RSA Authentication Manager that is authorized to send the response that you want to retrieve from the RSA Radius service. More on the RADIUS Response codes later on and why you would like to use a valid account.

Next to the account we are assuming that authentication is working properly and the Citrix NetScaler IP is added in RSA as a host that is allowed the use RSA Radius Authentication.

The Basics (load balancing)

Create a load balanced Virtual Server where the (in our case) two RSA Servers reside (The IP addresses mentioned is off course to be adjusted accordingly).

add server rsa01.domain.local 192.168.0.1
add server rsa02.domain.local
192.168.0.2

add serviceGroup sg_radius_rsa_001 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED

add lb vserver lb_vs_rsa_001 RADIUS 192.168.0.3 1812 -persistenceType NONE -cltTimeout 120

bind serviceGroup sg_radius_rsa_001 rsa01.domain.local 1812
bind serviceGroup sg_radius_rsa_001 rsa02.domain.local 1812

Creating the Monitor (Standard Parameters)

Create a monitor as displayed below. Important things to configure is the Type (RADIUS) and Destination Port (1812) on the Standard Parameters tab.

Note: I had to change the Response Time-out setting to 4 (default is 2) since the response took longer then 2 seconds to be received by Citrix NetScaler (This something to check).

image

In the screenshot below you can see that the response takes a bit more then 2 seconds to be received meaning we had to adjust the Response time-out within Monitor => Standard Parameters.

image

Creating the Monitor (Special Parameters)

Under the Special Parameters put in the account credentials that is created within RSA Authentication Manager that will pass the proper response. As a Response Code we have chosen to go with 2 which is Access-Accept.

image

add lb monitor radius-rsa RADIUS -respCode 2 -userName netscaler_monitoring -password dc0b445466e821 -encrypted -radKey e93d11543846hf963ef -encrypted -LRTM ENABLED -resptimeout 4 -destPort 1812

RADIUS Response Codes

There are different types of RADIUS Response Codes, see the table below. When you cannot or don’t want to create a user account within RSA Authentication Manager then you will not be able to receive a Code 2 (Access-Accept) response code and are not able to verify if the entire Authentication chain is actually working. That would mean Citrix NetScaler will just send Authentication Requests to the RSA Service even though the database is down but RADIUS still receives Access-Reject so according to Citrix NetScaler the server is up and running and ready to accept Authentication requests.

image

More information on RADIUS: http://en.wikipedia.org/wiki/RADIUS

About Henny Louwers
I work as a Consultant specialized in Application Delivery, Virtualization of Servers, Desktops and Apps.

3 Responses to Configure RSA RADIUS monitoring on NetScaler

  1. Tom says:

    Hi, Really great article. I was just wondering if any special configuration was needed for the user account on the RSA. I’ve followed your steps, but the monitor is returning 11 Access-Challenge.

    I suspect the RSA device is expecting some more information, but I’ve already supplied the fixed passcode (password) and shared key (Radius Key), as per your screenshot.

    Like

  2. Mikhail says:

    Same here. Response code – 11.
    Any thoughts?

    Like

  3. Tom says:

    Can’t remember exactly how I fixed this now, but looking at the config on the RSA there’s 2 things that might help:

    Create a RADIUS Profile e.g. ‘NS_Monitoring’ and set a Return List Attribute for Digest-Response-Auth = 2. This should force a response code of ‘2’ on a successful authentication

    Then in User Authentication Settings add the User RADIUS Profile you just created to the monitoring user you’re using (which, incidentally, I have as a user on the internal DB with a fixed passcode). You should then have a RADIUS User Attribute of 18 – Reply-Message # 2

    If that doesn’t help try setting the following on the associated token – SecureID PIN Management – Do not require PIN (only tokencode). Don’t think this was the fix though…

    Hope it helps!

    Like

%d bloggers like this: