Hi, I am trying to setup radius for F5 management appliance. However, the logs show " server failed to respond" I've setup radius profile through System ›› Users : Authentication I am able to ping the radius server from f5 appliance and I can see the traffic on the firewall hitting the logs. I have confirmed on the Radius server profile exists for the f5 appliance and the groups requiring access. Management interface existed. The only thing, I have noticed that the F5 uses the selfip to communicate with radius and not the management ip address. The radius server profile is set to accept anything coming from the selfip. Have I missed anything? Do i need anything under System ›› Users : Remote Role Groups? Sep 8 08:53:54 AUNRE01-LBP02 err httpd[13309]: pam_radius_auth: RADIUS server 10.5.5.101 failed to respond

Hi, what bigip version are you using?

I'm guessing that you're probably using: the default partition(Common) and route domain(0), you have a default route configured on the network section of the BigIP, and you have a default route for the management port. If that's the case, and you want authentication traffic to originate from the management port. you need to add static routes on the management port. By default BigIP prefers the default route for the default route domain(0) over the default one in the management port for traffic originating from the device like NTP, snmp traps, authentication, etc. If you want the traffic to originate from the management port's IP address you must add the static routes through the CLI. K13284: Overview of management interface routing (11.x - 12.x) https://support.f5.com/csp/article/K13284 K3669: Overview of management interface routing (9.x - 10.x) https://support.f5.com/csp/article/K3669 Hope this helps!

Hi Guys, I am using BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1 wlopez i believe you're right on this. I see Partition Default Route Domain under the routing table with an ID of 0. Nothing in here routing to my NPS server. I added the below route to point my NPS server out of the management interface, but not showing under "ip route show table main" sys management-route NPS { gateway 10.24.18.1 network 10.29.22.104/32 } sys management-route default { description configured-statically gateway 10.24.18.1 mtu 1500 network default config ip rule show 0: from all lookup local 245: from 10.24.18.11 lookup 245 32766: from all lookup main

Radius authentication failing for MGMT

13 Replies

Stanislas_Piro2
Cumulonimbus
Sep 08, 2017
Hi,

what bigip version are you using?
wlopez
Cirrocumulus
Sep 08, 2017
I'm guessing that you're probably using: the default partition(Common) and route domain(0), you have a default route configured on the network section of the BigIP, and you have a default route for the management port. If that's the case, and you want authentication traffic to originate from the management port. you need to add static routes on the management port. By default BigIP prefers the default route for the default route domain(0) over the default one in the management port for traffic originating from the device like NTP, snmp traps, authentication, etc. If you want the traffic to originate from the management port's IP address you must add the static routes through the CLI.

K13284: Overview of management interface routing (11.x - 12.x) https://support.f5.com/csp/article/K13284

K3669: Overview of management interface routing (9.x - 10.x) https://support.f5.com/csp/article/K3669

Hope this helps!
- MCP200_297965
  Nimbostratus
  Sep 11, 2017
  Hi Guys, I am using BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1
  
  wlopez i believe you're right on this. I see Partition Default Route Domain under the routing table with an ID of 0. Nothing in here routing to my NPS server.
  
  I added the below route to point my NPS server out of the management interface, but not showing under "ip route show table main"
  
  sys management-route NPS { gateway 10.24.18.1 network 10.29.22.104/32 } sys management-route default { description configured-statically gateway 10.24.18.1 mtu 1500 network default
  
  config ip rule show
  
  0: from all lookup local 245: from 10.24.18.11 lookup 245 32766: from all lookup main
- wlopez
  Cirrocumulus
  Sep 11, 2017
  Can you run the following command to list the routes on the management port?
  
  From bash: tmsh list /sys management-route
  
  or from tmsh: list /sys management-route
- MCP200_297965
  Nimbostratus
  Sep 11, 2017
  Hi There,
  
  After adding the management route. From the firewall i can seee traffic from management interface hitting nps server, but i still can't authenticate via radius.
  
  Ive added all the config and made sure the nps profile client ip is management ip of the f5.
  
  I will run the command you have asked me too.
wlopez_98779
Nimbostratus
Sep 08, 2017
I'm guessing that you're probably using: the default partition(Common) and route domain(0), you have a default route configured on the network section of the BigIP, and you have a default route for the management port. If that's the case, and you want authentication traffic to originate from the management port. you need to add static routes on the management port. By default BigIP prefers the default route for the default route domain(0) over the default one in the management port for traffic originating from the device like NTP, snmp traps, authentication, etc. If you want the traffic to originate from the management port's IP address you must add the static routes through the CLI.

K13284: Overview of management interface routing (11.x - 12.x) https://support.f5.com/csp/article/K13284

K3669: Overview of management interface routing (9.x - 10.x) https://support.f5.com/csp/article/K3669

Hope this helps!
- MCP200_297965
  Nimbostratus
  Sep 11, 2017
  Hi Guys, I am using BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1
  
  wlopez i believe you're right on this. I see Partition Default Route Domain under the routing table with an ID of 0. Nothing in here routing to my NPS server.
  
  I added the below route to point my NPS server out of the management interface, but not showing under "ip route show table main"
  
  sys management-route NPS { gateway 10.24.18.1 network 10.29.22.104/32 } sys management-route default { description configured-statically gateway 10.24.18.1 mtu 1500 network default
  
  config ip rule show
  
  0: from all lookup local 245: from 10.24.18.11 lookup 245 32766: from all lookup main
- wlopez_98779
  Nimbostratus
  Sep 11, 2017
  Can you run the following command to list the routes on the management port?
  
  From bash: tmsh list /sys management-route
  
  or from tmsh: list /sys management-route
- MCP200_297965
  Nimbostratus
  Sep 11, 2017
  Hi There,
  
  After adding the management route. From the firewall i can seee traffic from management interface hitting nps server, but i still can't authenticate via radius.
  
  Ive added all the config and made sure the nps profile client ip is management ip of the f5.
  
  I will run the command you have asked me too.