Forum Discussion

midhun_108442's avatar
midhun_108442
Icon for Nimbostratus rankNimbostratus
Nov 26, 2012

How to configure Authorization in radius server for remote users

Hi

 

The users are authenticating to f5 through Radius server , but the authorization is not happening through radius server , For authorization we have configured each user privileged in F5 , Kindly help us to configure F5 authorization through Radius server .

 

 

Regards,

 

Midhun P.K

 

8 Replies

  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Hi Midhun,

     

    This manual guide provides some details about what you are after.

     

     

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/19.html?sr=25547154

     

     

    You might also want to open a case with f5 support if required.

     

     

    Thanks,

     

    P.
  • HI,

     

     

    thanks for your response, I have gone through the URLl above and some other document, were i read that need to configure remote role in F5 for the authorization of remote users, Kidnly any one help me how to configure remoterole in F5 .

     

     

    We are using SBR(juniper radius ) in our setup. F5 authentication is happening through this SBR, Kindly help me to configure authorization for the same. what setup i need to configure in F5 for this to work.

     

     

    Regards

     

    midhun P.K
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Hi Midhun,

     

    Can you confirm which version of BigIP software you are using?

     

     

    Thanks,

     

    P.
  • HI,

     

     

    Could anyone help me to configure remoterole in F5.

     

     

    Regards,

     

    Midhun P.K
  • i do not have SBR for testing. anyway, just wondering should sol11431 Steve gave works.

     

     

    sol11431: Using F5 vendor specific attributes with RADIUS authentication

     

    http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html?sr=25610750

     

     

    the following is my testing using freeradius.

     

     

    root@ve10(Active)(tmos) show sys version
    
    Sys::Version
    Main Package
      Product  BIG-IP
      Version  10.2.4
      Build    655.0
      Edition  Hotfix HF4
      Date     Tue Aug 21 11:35:59 PDT 2012
    
    Hotfix List
    ID386512  ID373105  ID224279  ID385694  ID388460  ID247874
    ID362940  ID391096  ID366459  ID378671  ID392255  ID389111
    ID378935  ID383104  ID363612  ID378936  ID387843  ID379465
    ID356965  ID387107  ID368866  ID388474  ID387339  ID390951
    ID363724  ID378007  ID380985  ID390322  ID358442  ID391784
    ID389112  ID385579  ID251174  ID381078  ID351639  ID336845
    ID392745  ID223894  ID226042  ID372295  ID386825  ID365698
    ID381613  ID392334  ID388625  ID384531  ID382758  ID368420
    ID385827  ID291479  ID391826  ID385193  ID381620  ID388890
    ID387625  ID383906  ID385585  ID375117  ID371298  ID342185
    ID386420  ID391923  ID390043  ID393721  ID349093  ID339930
    ID383396  ID380354  ID392361  ID377196  ID382217  ID383405
    ID378489  ID368881  ID367066
    
    root@ve10(Active)(tmos) list auth radius
    auth radius system-auth {
        servers {
            system_auth_name1
        }
    }
    
    root@ve10(Active)(tmos) list auth radius-server
    auth radius-server system_auth_name1 {
        secret secret
        server 172.28.19.251
    }
    
    root@ve10(Active)(tmos) list auth remote-role
    auth remote-role {
        role-info {
            guest-role {
                attribute F5-LTM-User-Info-1=guest-group
                console tmsh
                line-order 2
                role guest
                user-partition all
            }
            operator-role {
                attribute F5-LTM-User-Info-1=operator-group
                console tmsh
                line-order 1
                role operator
                user-partition all
            }
        }
    }
    
     operator user
    
    Frame 1
    Internet Protocol Version 4, Src: 172.28.19.80 (172.28.19.80), Dst: 172.28.19.251 (172.28.19.251)
    User Datagram Protocol, Src Port: 28694 (28694), Dst Port: 1812 (1812)
    Radius Protocol
        Code: Access-Request (1)
        Packet identifier: 0x6 (6)
        Length: 91
        Authenticator: c677c8bc666e898d6c73c820f92c1070
        [The response to this request is in frame 2]
        Attribute Value Pairs
            AVP: l=8  t=User-Name(1): hiccup
            AVP: l=18  t=User-Password(2): Decrypted: "topsecret\000\000\000\000\000\000\000"
            AVP: l=6  t=NAS-IP-Address(4): 192.168.1.245
            AVP: l=6  t=NAS-Identifier(32): sshd
            AVP: l=6  t=NAS-Port(5): 27669
            AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
            AVP: l=6  t=Service-Type(6): Authenticate-Only(8)
            AVP: l=15  t=Calling-Station-Id(31): 192.168.204.8
    
    Frame 2
    Internet Protocol Version 4, Src: 172.28.19.251 (172.28.19.251), Dst: 172.28.19.80 (172.28.19.80)
    User Datagram Protocol, Src Port: 1812 (1812), Dst Port: 28694 (28694)
    Radius Protocol
        Code: Access-Accept (2)
        Packet identifier: 0x6 (6)
        Length: 54
        Authenticator: ef1abb1eece8861906eee842e5e58395
        [This is a response to a request in frame 1]
        [Time from request: 0.001913000 seconds]
        Attribute Value Pairs
            AVP: l=12  t=Vendor-Specific(26) v=F5(3375)
                VSA: l=6 t=F5-LTM-User-Role(1): Operator(400)
            AVP: l=22  t=Vendor-Specific(26) v=F5(3375)
                VSA: l=16 t=F5-LTM-User-Info-1(12): operator-group
    
     guest user
    
    Frame 1
    Internet Protocol Version 4, Src: 172.28.19.80 (172.28.19.80), Dst: 172.28.19.251 (172.28.19.251)
    User Datagram Protocol, Src Port: 28957 (28957), Dst Port: 1812 (1812)
    Radius Protocol
        Code: Access-Request (1)
        Packet identifier: 0xe3 (227)
        Length: 94
        Authenticator: 7d30678ab23dd40f412aa51dce58fe8e
        [The response to this request is in frame 4]
        Attribute Value Pairs
            AVP: l=11  t=User-Name(1): toothless
            AVP: l=18  t=User-Password(2): Decrypted: "password\000\000\000\000\000\000\000\000"
            AVP: l=6  t=NAS-IP-Address(4): 192.168.1.245
            AVP: l=6  t=NAS-Identifier(32): sshd
            AVP: l=6  t=NAS-Port(5): 27932
            AVP: l=6  t=NAS-Port-Type(61): Virtual(5)
            AVP: l=6  t=Service-Type(6): Authenticate-Only(8)
            AVP: l=15  t=Calling-Station-Id(31): 192.168.204.8
    
    Frame 2
    Internet Protocol Version 4, Src: 172.28.19.251 (172.28.19.251), Dst: 172.28.19.80 (172.28.19.80)
    User Datagram Protocol, Src Port: 1812 (1812), Dst Port: 28957 (28957)
    Radius Protocol
        Code: Access-Accept (2)
        Packet identifier: 0xe3 (227)
        Length: 51
        Authenticator: daf2c34f040c5085c8a5180ca6569ef4
        [This is a response to a request in frame 3]
        [Time from request: 0.001627000 seconds]
        Attribute Value Pairs
            AVP: l=12  t=Vendor-Specific(26) v=F5(3375)
                VSA: l=6 t=F5-LTM-User-Role(1): Guest(700)
            AVP: l=19  t=Vendor-Specific(26) v=F5(3375)
                VSA: l=13 t=F5-LTM-User-Info-1(12): guest-group