Manual Chapter :
RADIUS Authentication
Applies To:
Show VersionsBIG-IP APM
- 14.0.1, 14.0.0
RADIUS Authentication
About RADIUS authentication
Access Policy Manager supports authenticating and authorizing the
client against external RADIUS servers. When a client connects with the user name and
password, Access Policy Manager authenticates against the external server on behalf of
the client, and authorizes the client to access resources if the credentials are
valid.
- The client requests access to network resources through Access Policy Manager.
- Access Policy Manager then issues aRADIUS Access Requestmessage to the RADIUS server, requesting authorization to grant access.
- The RADIUS server then processes the request, and issues one of three responses to Access Policy Manager:Access Accept,Access Challenge, orAccess Reject.
About AAA high
availability
Using AAA high availability with Access Policy Manager (APM®), you can configure multiple
authentication servers to process requests, so that if one authentication server goes down or
loses connectivity, the others can resume authentication requests, and new sessions can be
established, as usual.
Although
new authentications fail if the BIG-IP® system loses
connectivity to the server, existing sessions are unaffected provided that they do not attempt to
re-authenticate.
APM supports the following AAA servers for high availability: RADIUS, Active
Directory, LDAP, CRLDP, and TACACS+. APM supports high availability by providing the option to
create a pool of server connections when you configure the supported type of AAA server.
If you use
AAA with pools, such as RADIUS pools or Active Directory pools, APM assigns each pool member with
a different number for the pool member's priority group value. APM must define each pool member
with a different priority group because AAA load balancing is not used. The priority group number
increases automatically with each created pool member. Alternative AAA pool configurations can be
defined manually using the full flexibility of Local Traffic Manager (LTM) if load balancing is
desired.
Guidelines for setting up RADIUS authentication for AAA high availability
When you use RADIUS as the authentication method for AAA high availability, there are general
guidelines that you must follow when you set up your server connections.
- In a non-high availability environment, both theDirectandUse Pooloptions use the self IP address as a source IP address of the packet reaching the RADIUS server. For this scenario, you just need to add one IP address to the RADIUS allowed IP list to achieve this.
- In a high availability environment where theUse Pooloption is used, the floating self IP address is used as a source IP of the RADIUS packet reaching the back-end. For this scenario, you need to add one self IP address (which is floating self IP address) to the RADIUS allowed IP list because the IP address is used even after a failover occurs.
- In a high availability environment where theDirectoption is used, the static self IP address is used as a source IP address of the RADIUS packet reaching the back-end. In this scenario, you need to add the self IP address from both active and standby devices to the RADIUS allowed IP list so that when failover occurs, the self IP address from the second device is accepted by the RADIUS server.
About how APM handles
binary values in RADIUS attributes
For RADIUS authentication, Access
Policy Manager (APM) converts an attribute value
to hex if it contains unprintable characters, or if it is the
class
attribute. APM converts the class attribute to hex even if it contains only
printable values (by attribute type). No other attributes are encoded to hex if they do not
contain unprintable characters. An attribute with a
single unprintable value
1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007
Attribute with
multiple values, both printable and unprintable (binary)
243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006
An attribute type
that does not require hex encoding with both printable and unprintable values
3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1
In this case, only values that are unprintable are encoded to hex.
Configuring RADIUS authentication
If you add RADIUS
authentication to an existing access policy, you already have an access profile configured and
the access policy might already include a logon access policy item.
Configuring a RADIUS
AAA server in APM
The
Access Policy Manager (APM) is a network access server (NAS) that operates as a client of the
server configured here.
- On the Main tab, click.The RADIUS servers screen opens.
- ClickCreate.The New Server properties screen opens.
- In theNamefield, type a unique name for the authentication server.
- For theModesetting, selectAuthentication.
- For theServer Connectionsetting, select one of these options:When configuring a RADIUS AAA server that is located in a nondefault route domain, you must selectUse Pooland specify the pool containing the RADIUS server.
- SelectUse Poolto set up high availability for the AAA server.
- SelectDirectto set up the AAA server for standalone functionality.
- If you selectedUse Pool, type a name in theServer Pool Namefield.You create a pool of servers on this screen.
- Provide the addresses required for your server connection:
- If you selectedDirect, type an IP address in theServer Addressfield.
- If you selectedUse Pool, for each pool member you want to add, type an IP address in theServer Addressesfield and clickAdd.When you configure a pool, you have the option to type the server address in route domain format:.IPAddress%RouteDomain
- In theAuthentication Service Portfield, type the authentication port number of your server. The default is1812.
- In theSecretfield, type the shared secret password of the server.
- In theConfirm Secretfield, re-type the shared secret password of the server.
- ClickFinished.The new server displays on the list.
The
new AAA server displays on the RADIUS Servers list.
Creating an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.A access profile name must be unique among all access profile and any per-request policy names.
- From theProfile Typelist, select one these options:
- LTM-APM: Select for a web access management configuration.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- ALL: Select to support LTM-APM and SSL-VPN access types.
- SSO: Select to configure matching virtual servers for Single Sign-On (SSO).No access policy is associated with this type of access profile
- RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
- SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
- SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
- System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
- Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.You can edit Identity Service profile properties.
Depending on licensing, you might not see all of these profile types.Additional settings display. - In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.
The access profile displays in the Access Profiles
List. Default-log-setting is assigned to the access profile.
Verifying log settings for the access profile
Confirm that the correct log settings are selected
for the access profile to ensure that events are logged as you intend.
Log settings
are configured in the
area of the product. They enable and disable logging for access
system and URL request filtering events. Log settings also specify log publishers
that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Using RADIUS authentication in an access policy
You configure an access policy with a RADIUS Auth action to provide RADIUS authentication
as one of authentication options for users trying to gain accesss.
You can use
RADIUS authentication in addition to other authentication types. You can require that users pass
at least one type of authentication or that they pass multiple types of authentication.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, selectRADIUS Authand clickAdd Item.The popup screen closes. A Properties popup screen opens.
- On the Properties popup screen from theAAA Serverlist, select the AAA RADIUS server you configured previously and clickSave.The popup screen closes and the visual policy editor displays.
- Complete the policy:
- Add any additional policy items you require.
- Change the ending fromDenytoAllowon any access policy branch on which you want to grant access.
- ClickApply Access Policyto save your configuration.
This creates an access policy that collects user credentials and uses them to authenticate
with a RADIUS server.
To apply this access policy to network
traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your
requirements, verify the log settings for the access profile.
Creating a virtual
server for an access policy
When creating a virtual server for an access policy, specify an IP address for a single
host as the destination address.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield:
- If you want to specify a single service port or all ports, confirm that thePortbutton is selected, and type or select a service port.
- If you want to specify multiple ports other than all ports, select thePort Listbutton, and confirm that the port list that you previously created appears in the box.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- If you use server SSL for this connection, from theSSL Profile (Server)list, select a server SSL profile.
- If you use client SSL for this profile, from theSSL Profile (Client)list, select a client SSL profile.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- From theConnectivity Profilelist, select a connectivity profile.You can select the default connectivity profile,connectivityif you have not defined a specific profile for the traffic that is directed to this virtual server.
- ClickFinished.
You have configured a host virtual server and associated an access profile with it.
Testing AAA high availability for supported authentication servers
To effectively test that high availability works for your authentication servers, you
should have two servers that are accessible, where you can remove one of them from the
network.
High availability is supported for these authentication server types
only: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+.
If you configured a supported authentication server type to use a pool of connection
servers, you can test the configuration using these steps.
- Begin atcpdumpon the Access Policy Manager, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
- Log in to the virtual server with both servers active.
- Using thetcpdumprecords, verify that the requests are being sent to the higher priority server.
- Log out of the virtual server.
- Disable the higher-priority server.
- Log in to the virtual server again.
- Verify that the request is being sent to the other server.
- Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.
RADIUS attributes
The following table lists the specific RADIUS attributes that Access
Policy Manager sends with RADIUS requests.
Attribute | Purpose |
---|---|
User-Name
| Indicates the name of the authenticated user. |
User-Password
| Indicates the password of the authenticated user. |
NAS-IP-Address
| Indicates the identifying IP Address of the NAS. |
NAS-IPv6-Address
| Indicates the identifying IPv6 Address of the NAS. |
NAS-Identifier
| Indicates the identifying name of the NAS . |
Service-Type
| Indicates the type of service the user has requested. |
NAS-Port
| Indicates the physical port number of the NAS that is authenticating the user. |
RADIUS session variables for access policy rules
When the RADIUS Auth access policy item runs, it populates session variables which are
then available for use in access policy rules. The tables list the session variables for the
RADIUS authentication access policy item and for a logon access policy item.
Session variables for RADIUS
Session Variable |
Description |
---|---|
session.RADIUS.last.result
|
Provides the result of the RADIUS authentication. The available values are:
|
session.RADIUS.last.attr.$attr_name
|
$attr_name is a value that represents the user’s attributes
received during RADIUS authentication. Each attribute is converted to separate session
variables. |
session.RADIUS.last.errmsg
|
Displays the error message for the last login. If
session.RADIUS.last.result is set to 0, then
session.RADIUS.last.errmsg might be useful for troubleshooting
purposes. Example:
|
Common session variables
Session Variable |
Description |
---|---|
session.logon.last.username
|
Provides user credentials. The username string is stored after
encrypting, using the system's client key. |
session.logon.last.password
|
Provides user credentials. The password string is stored after
encrypting, using the system's client key. |
RADIUS authentication and accounting troubleshooting tips
You might run into problems with RADIUS authentication and accounting in some instances.
Follow these tips to try to resolve any issues you might encounter.
RADIUS authentication and accounting access policy action
troubleshooting
Possible error messages |
Possible explanations and actions |
---|---|
Authentication failed due to timeout |
|
Authentication failed due to RADIUS access reject |
|
Additional troubleshooting tips for RADIUS authentication and
accounting
Action |
Steps |
---|---|
Check to see if your access policy is attempting to perform authentication |
Make sure that your log level is set to the appropriate level. The default
log level is notice . |
Check the RADIUS Server configuration |
|
Confirm network connectivity |
|
Capture a TCP dump |
If you decide to escalate the issue to customer support, you must
provide a capture of the TCP dump when you encounter authentication issues that you cannot
otherwise resolve on your own. |