Forum Discussion
I'm guessing that you're probably using: the default partition(Common) and route domain(0), you have a default route configured on the network section of the BigIP, and you have a default route for the management port. If that's the case, and you want authentication traffic to originate from the management port. you need to add static routes on the management port. By default BigIP prefers the default route for the default route domain(0) over the default one in the management port for traffic originating from the device like NTP, snmp traps, authentication, etc. If you want the traffic to originate from the management port's IP address you must add the static routes through the CLI.
K13284: Overview of management interface routing (11.x - 12.x) https://support.f5.com/csp/article/K13284
K3669: Overview of management interface routing (9.x - 10.x) https://support.f5.com/csp/article/K3669
Hope this helps!
- MCP200_297965Sep 11, 2017Nimbostratus
Hi Guys, I am using BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1
wlopez i believe you're right on this. I see Partition Default Route Domain under the routing table with an ID of 0. Nothing in here routing to my NPS server.
I added the below route to point my NPS server out of the management interface, but not showing under "ip route show table main"
sys management-route NPS { gateway 10.24.18.1 network 10.29.22.104/32 } sys management-route default { description configured-statically gateway 10.24.18.1 mtu 1500 network default
config ip rule show
0: from all lookup local 245: from 10.24.18.11 lookup 245 32766: from all lookup main
- wlopez_98779Sep 11, 2017Nimbostratus
Can you run the following command to list the routes on the management port?
From bash: tmsh list /sys management-route
or from tmsh: list /sys management-route
- MCP200_297965Sep 11, 2017Nimbostratus
Hi There,
After adding the management route. From the firewall i can seee traffic from management interface hitting nps server, but i still can't authenticate via radius.
Ive added all the config and made sure the nps profile client ip is management ip of the f5.
I will run the command you have asked me too.
- MCP200_297965Sep 11, 2017Nimbostratus
Here is my config
sys management-route Primary_NPS { gateway 10.x.18.1 network 10.x.22.104/32 } sys management-route Secondary_NPS { gateway 10.x.18.1 network 10.x.22.104/32 }
sys management-route default { description configured-statically gateway 10.x.18.1 mtu 1500 network default
After issuing the command "less /var/log/secure"I see the following httpd(pam_audit)[20983]: User=xyz tty=(unknown) host=10.21.2.x failed to login after 1 attempts (start="Tue Sep 12 08:08:14 2017" end="Tue Sep 12 08:08:16 2017"). It seems its still trying to login locally? The admin account is still present but under users i have enabled Remote - RADIUS but no user group is setup.
- wlopez_98779Sep 13, 2017Nimbostratus
I haven't done Radius authentication for F5 management user authentication. I have done a lot of Remote - Active Directory configurations. For Active Directories you do need to configure the Authentication screen with the 'External Users' section set to: Role = No access
Partition Access = All
Terminal Access = Disabled
You also need to configure the Remote Role Groups with it's corresponding parameters.
That forces all management user authentication to be done remotely, except for the admin and root accounts.