Loadbalancing RADIUS on NSX ALB part 2

You still really like redundancy, we all do. And you must like (or need) loadbalancing, since you’re still here! In Part 2, I’ll dive into virtual service config!

You can find part 1 right about here

Short recap: in the previous part, I went over the topology, and the configuration of the service engines, the dummy VIP and the NAT policy. In this second part, I will detail the configuration of the virtual service and all it’s dependencies.

Health monitors

You generally want to make sure that you’re backend server is actually handling RADIUS requests, so a health monitor is needed!

  1. Navigate to Template > Profiles > Health Monitors and click Create
  2. Enter a name of your choosing
  3. Set the type to RADIUS
  4. Enter your preferred timing settings, which should be as low as you can get without generating false positives or creating too much load on your backend
  5. Enter the credentials of a test user. Consider using a dedicated user that is in the same identity store as your production users. This will allow for and end-to-end health check.

Health monitor

  1. Click Save

(Optional) Create a collection filter in ISE

Health monitor traffic is generally not very interesting for your logs, so it might make sense to exclude. I’ve used Collection Filters in ISE to make sure the RADIUS logs aren’t full of sessions started by the loadbalancer.

  1. Get the vNIC IP’s from AVI (Infrastructure > Cloud Resources > Service Engine > Edit button)


  1. In your ISE dashboard, navigate to Administration > System > Logging

ISE logging

  1. Click Collection Filters and then click Add
  2. Set the attribute to Device IP Address and enter the IP address of your SE vNIC

ISE collection filter

  1. Set the Filter Type to Filter Passed (this will give you logs if your test user fails, which is useful)
  2. Click Submit
  3. Repeat for the other SE vNIC IP

Add vNIC IP’s to ISE

While we’re at it, now is as good as time as any to add our SE vNIC IPs to ISE to make sure they’re allowed to send RADIUS requests to ISE.

  1. In ISE, navigate to Administration > Network Resourcers > Network Device
  2. Click Add
  3. Fill in a name for the SE and add the IP address

ISE device 1

  1. Make sure to add the RADIUS Shared secret under RADIUS Authentication Settings

ISE device 2

  1. All other settings will be specific to your deployment
  2. Repeat or the other SE and the floating IP you created earlier


With the health monitor in place, we can now create the backend pools. This is fairly straight forward for a change :)

  1. Navigate to Applications > Pools and click Create Pool
  2. Enter a name and add your Cloud and VRF Context

Pool settings

  1. Set the default port to 1812
  2. Add your ISE backend servers (by IP or FQDN, depending on your existing ALB config)

Pool servers

  1. Set the Healthmonitor to the monitor you created in the previous step
  2. Click Save

The persistence datascript

Now, for some of the black magic! RADIUS (or at least the ISE implementation of it) requires that you handle your entire session on the same host. Source IP is also not great as often requests are relayed through something like a wireless controller. The Datascript below will parse the incoming request and set persistence based on the incoming RADIUS request. This is a fairly complicated script, and there’s no point in writing it yourself is someone else already did it. In this case the fine folks at AVI already did the heavy lifting for us. See this link for more details on how the datascript works.

Configuration wise, follow these steps:

  1. Navigate to Templates > Scripts > DataScripts and click Create
  2. Enter a name and select the pool your created earlier under Pools
  3. Select Default-Radius and Default-DHCP for Protocol Parser
  4. Scroll down to Events,click Add and select L4 Response
  5. Paste the code found here, making sure to replace l4-radius-pools with your own pool!
  6. Click Save


Even easier then than the pools! This will differ from deployment to deployment (you might use manual VS VIP assignments or IPAM). If you’re reading this, you probably know how to create a VS VIP object though. Just in case, I’ve added the basic steps for a manual VIP below

  1. Navigate to Applications > VS VIPs and click Create
  2. Enter a name and add your Cloud and VRF Context
  3. Click Add under VIPs
  4. Enter the IP you want to use
  5. Click Save

(Optional) Create a dedicated application profile

This is not required, but highly recommended. You could update the settings of the default profile (System-L3-Application), but generally recommend against doing so.

  1. Navigate to Templates > Profiles > Application and click Create
  2. Enter a name and set the type to L4
  3. Make sure the Preserve Client IP Address checkbox is select

Application Profile

  1. Click Save

Virtual service

With all that out of the way, we can finally get to the virtual service.

  1. Navigate to Applications > Virtual Services and click Create Virtual Service > Advanced Setup
  1. Select your Cloud and click Next
  2. Select your VRF Context and click Next
  3. Enter a name for your VS
  4. Under VIP Address, select the VS VIP you create before
  5. Under Profiles, set TCP/UDP Profile to System-UDP-Fast-Path and the Application Profile to the profile you just created

VS Creation

  1. Under Pool, select the pool you created before
  2. Under Service Port, click Switch to Advanced

VS Profiles

  1. Add 1812 as a service and click Add port
  2. Add 1813 as a service and click Add port again
  3. Finally, add 67 as a service, check Override TCP/UDP and select System-UDP-Per-Pkt

VS Ports

  1. (we’re almost done, I promise) Click Next and you’ll go to the Policies page. then click DataScripts
  2. Click Add DataScript, select the datascript you created before and click Save DataScript
  3. Click Next to proceed to the Advanced Page
  4. Under Other Settings select the correct Service Engine Group
  5. Finally, click Save

Further Reading

I’ll mention it again :) This post was written based on my own experience with setting this up. Most of the raw information available in the ALB docs. You can find the detailed articles here: