Citrix ADC : Radius authentication failures when Accounting and Authentication are configured on the same port

Workaround : Kill the AAAD process on the ADC

Fix :

– It is recommended to use different radius action for account and authentication purpose.

– Separate Authentication and Accounting connections to 2 different ports – 1812 and 1813 (RFC standard), so that Authentication action does not get blocked by Accounting action. Any two ports can be used as per server configuration and are not limited to 1812 and 1813.

Sample policies for Radius Server:

add authentication radiusAction Authserver -serverIP <x.x.x.x> -serverPort 1812 -authTimeout <x> -radKey XXX -authentication ON -accounting OFF -authServRetry <y>

add authentication radiusPolicy AuthPol ns_true Authserver



add authentication radiusAction AccountingServer -serverIP <x.x.x.x> –serverPort 1813 -authTimeout 1 -radKey XXX -authentication OFF -accounting ON-authServRetry 1

add authentication radiusPolicy AccountingPol ns_true AccountingServer



Notes:

– 1st policy is for Auth-only, 2nd is for Accounting-only;

– 1812 is standard port for Radius Auth, and 1813 for Radius Accounting

Accounting functionality [In NetScaler] works based on best effort principle where it is not guaranteed that operation is successful. If a lot of accounting requests are generating in the environment, it is recommended to tweak certain parameters to optimize accounting functionality :

authTimeout : This can be set to 1. Because for accounting anyway NetScaler does not do any operation based on response from server.

authServRetry : Since accounting functionality works on best effort principle, we do not need to retry many times. This can be changed to 1

Related:

  • No Related Posts

Leave a Reply