[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: free radius behind a load balancer?
From:       Nathan Ward <lists+freeradius () daork ! net>
Date:       2021-01-14 21:27:12
Message-ID: 3D0796C7-BB36-4038-8C06-79A9BD522BDB () daork ! net
[Download RAW message or body]


> On 15/01/2021, at 5:25 AM, Coy Hile <coy.hile@coyhile.com> wrote:
> 
> > On Jan 14, 2021, at 10:45 AM, Joseph Nordone via Freeradius-Users \
> > <freeradius-users@lists.freeradius.org> wrote: 
> > Yes, free-radius works great behind load-balancers. We have multiple clusters \
> > behind f5 load balancers. I would look at setting up a two-arm load balancer so \
> > that the originating IP address of the client is presented to the radius server. \
> > Outside of that, it won't modify or change any attribute of the packet itself. 
> 
> How do you mean? What specific things did you have to do for that to happen? (What \
> I've seen is the NATed IP come through as the Packet-Src-IP-Address, rather than \
> the machine from whence I was testing.)


Packet-Src-IP-Address is the source IP of the packet as received by the RADIUS server \
- F5 (or other LB) doesn't insert that, it's not like X-Forwarded-For in HTTP land.

You can disable SNAT in the F5 config to avoid that - the F5 has to be in the IP \
return path for that traffic from the client though - usually that means it's the \
default gateway but of course there are more complicated environments where that's \
not the case :-)

--
Nathan Ward


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]