Configure RSA RADIUS monitoring on NetScaler
December 16, 2011 3 Comments
Ok, so this one is pretty easy and speaks for itself for the most part but can have some pitfalls while configuring.
In this example we are going to assume that the RSA backend is already in place and functioning properly.
A good question is why would you want to. When you leave the monitoring to default which would be tcp-default it marks the server up as it response to a tcp connection. That would simply not be enough, we need to make sure that the RSA RADIUS Service is actually up and ready to accept connections.
Make sure you have an account configured in RSA Authentication Manager that is authorized to send the response that you want to retrieve from the RSA Radius service. More on the RADIUS Response codes later on and why you would like to use a valid account.
Next to the account we are assuming that authentication is working properly and the Citrix NetScaler IP is added in RSA as a host that is allowed the use RSA Radius Authentication.
The Basics (load balancing)
Create a load balanced Virtual Server where the (in our case) two RSA Servers reside (The IP addresses mentioned is off course to be adjusted accordingly).
add server rsa01.domain.local 192.168.0.1
add server rsa02.domain.local 192.168.0.2
add serviceGroup sg_radius_rsa_001 RADIUS -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport NO -cltTimeout 120 -svrTimeout 120 -CKA NO -TCPB NO -CMP NO -appflowLog DISABLED
add lb vserver lb_vs_rsa_001 RADIUS 192.168.0.3 1812 -persistenceType NONE -cltTimeout 120
bind serviceGroup sg_radius_rsa_001 rsa01.domain.local 1812
bind serviceGroup sg_radius_rsa_001 rsa02.domain.local 1812
Creating the Monitor (Standard Parameters)
Create a monitor as displayed below. Important things to configure is the Type (RADIUS) and Destination Port (1812) on the Standard Parameters tab.
Note: I had to change the Response Time-out setting to 4 (default is 2) since the response took longer then 2 seconds to be received by Citrix NetScaler (This something to check).
In the screenshot below you can see that the response takes a bit more then 2 seconds to be received meaning we had to adjust the Response time-out within Monitor => Standard Parameters.
Creating the Monitor (Special Parameters)
Under the Special Parameters put in the account credentials that is created within RSA Authentication Manager that will pass the proper response. As a Response Code we have chosen to go with 2 which is Access-Accept.
add lb monitor radius-rsa RADIUS -respCode 2 -userName netscaler_monitoring -password dc0b445466e821 -encrypted -radKey e93d11543846hf963ef -encrypted -LRTM ENABLED -resptimeout 4 -destPort 1812
RADIUS Response Codes
There are different types of RADIUS Response Codes, see the table below. When you cannot or don’t want to create a user account within RSA Authentication Manager then you will not be able to receive a Code 2 (Access-Accept) response code and are not able to verify if the entire Authentication chain is actually working. That would mean Citrix NetScaler will just send Authentication Requests to the RSA Service even though the database is down but RADIUS still receives Access-Reject so according to Citrix NetScaler the server is up and running and ready to accept Authentication requests.
More information on RADIUS: http://en.wikipedia.org/wiki/RADIUS