RADIUS and route domain

Question

Hello.    
&nbsp;    Platform: F5 BIGIP 3600, 10.0    
&nbsp;        
&nbsp;    Radius authentication doesn't seem to work if radius server _located in route domain_ (and radius server address with % sign has no effect at all). The ip connectivity is working right (icmp, ip) but radius auth packets are going with such kind errors:    
&nbsp;        
&nbsp;    with % sign:    
&nbsp;    Oct 25 02:34:21 local/f5a err httpd[5247]: pam_radius_auth: Failed looking up IP address for RADIUS server 10.35.2.73%3 (errcode=9)    
&nbsp;    Oct 25 02:34:21 local/f5a err httpd[5247]: pam_radius_auth: All RADIUS servers failed to respond.    
&nbsp;        
&nbsp;    without % sign:    
&nbsp;    Oct 25 02:38:09 local/f5a err httpd[17866]: pam_radius_auth: RADIUS server 10.35.2.73 failed to respond    
&nbsp;    Oct 25 02:38:12 local/f5a err httpd[17866]: pam_radius_auth: RADIUS server 10.35.2.73 failed to respond    
&nbsp;    Oct 25 02:38:15 local/f5a err httpd[17866]: pam_radius_auth: RADIUS server 10.35.2.73 failed to respond    
&nbsp;    Oct 25 02:38:18 local/f5a err httpd[17866]: pam_radius_auth: RADIUS server 10.35.2.73 failed to respond    
&nbsp;    Oct 25 02:38:18 local/f5a err httpd[17866]: pam_radius_auth: All RADIUS servers failed to respond.    
&nbsp;    
&nbsp;  route-domain 3 {  
&nbsp;      description VRF3  
&nbsp;      vlans {  
&nbsp;          PRIVATE  
&nbsp;      }  
&nbsp;  }  
&nbsp;    
&nbsp;  self 10.35.2.78%3/24 {  
&nbsp;      allow-service default  
&nbsp;      vlan PRIVATE  
&nbsp;  }  
&nbsp;    
&nbsp;  radius system-auth {  
&nbsp;      servers {  
&nbsp;          system_auth_name1  
&nbsp;      }  
&nbsp;  }  
&nbsp;  radius-server system_auth_name1 {  
&nbsp;      secret xxxxxxxxxx  
&nbsp;      server 10.35.2.73%3  
&nbsp;  }  
&nbsp;    
&nbsp;  RADIUS-SERVER ping 10.35.2.78  
&nbsp;  PING 10.35.2.78 (10.35.2.78) 56(84) bytes of data.  
&nbsp;  64 bytes from 10.35.2.78: icmp_seq=1 ttl=255 time=0.000 ms  
&nbsp;  64 bytes from 10.35.2.78: icmp_seq=2 ttl=255 time=0.000 ms  
&nbsp;        
&nbsp;    
&nbsp;    Is that a bug or a feature?    
&nbsp;    Thanks

hooleylist · Answer

Is this for client VIP or admin GUI/CLI auth?  If client auth, I'd say it's a bug--you should be able to specify an auth server in the VIP's routing domain.  If it's admin auth, I don't think it would make sense to have all admins authenticated against one routing domain's auth server.  For admin, wouldn't it make more sense to define the auth server in the default routing domain? 
&nbsp;  
&nbsp; Either way, I'd suggest opening a case with F5 Support to check on this.  If you do/have already, could you post back what you find?  If you get stuck, I can also check with a customer who set up admin auth with a RADIUS server and routing domains. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

RADIUS and route domain

1 Reply

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

FQDN nodes in non-default route domains

iRule based RADIUS Client Stack

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

iRule based RADIUS Health Monitor Builder

How to find route domain OID