ap_idb
Enthusiast
Enthusiast

UAG Radius Authentication taking 30 seconds

Jump to solution

Hello all,

We have 2 UAGs deployed with 3 nics each. UAG is behind F5 firewall. When monitoring the vlan interface for traffic on NIC3 on the UAG, the UAG takes approx 30 seconds just to send the request, and once the request is sent it's an instantaneous response. This leads to a very long wait time between passcode being entered and after valid confirmation, leads the user to the password.

We've tried this with PAP as well as MSCHAP2, both have the same results.

UAG Logs not really showing much in terms of what is occurring between a user submitting the passcode, and the UAG sending it to our RADIUS server.

Any help appreciated.

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
ap_idb
Enthusiast
Enthusiast

Issue was DNS. Once we switched DNS to servers that worked, Authentication was instant versus 30 seconds.

View solution in original post

0 Kudos
6 Replies
BenFB
Virtuoso
Virtuoso

Which version of the UAG are you running? RADIUS is instantaneous in our deployment.

0 Kudos
ap_idb
Enthusiast
Enthusiast

This has occurred on versions 3.3 and 3.4

0 Kudos
BenFB
Virtuoso
Virtuoso

I'm on 3.3.1 with a two NIC deployment. My understanding is that NIC 2 is for backend traffic and NIC 3 is only used for management. I think you may have a routing or configuration issue if you are seeing RADIUS on NIC 3.

0 Kudos
ap_idb
Enthusiast
Enthusiast

Other way around, nic3 is for backend and we have our route set there for all internal subnets, so I assume Radius routes here

Nic2 is mgmt and we have a specific subnet with access to that

nic1 is external

I'm beginning to think NIC1 is what is sending RADIUS, and ignoring the static routes

0 Kudos
ap_idb
Enthusiast
Enthusiast

I think we figured it out. Our network engineer poured over the logs and noticed a few cases of dns issues, performed a few nslookups and noted that it was not resolving a few entries correctly. Repointed DNS to another DNS server and it worked as it should, instantaneously.

My hunch is that the initial authentication FIRST checks for the user in AD, then hands it back to RADIUS to confirm passcode. Odd, but changing DNS did the trick.

0 Kudos
ap_idb
Enthusiast
Enthusiast

Issue was DNS. Once we switched DNS to servers that worked, Authentication was instant versus 30 seconds.

0 Kudos