Manual Chapter : Configuring Remote RADIUS Authentication

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP AAM

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Configuring Remote RADIUS Authentication

Overview of remote authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:
  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

About RADIUS profiles

The BIG-IP® system includes a profile type that you can use to load balance Remote Authentication Dial-In User Service (RADIUS) traffic.
When you configure a RADIUS type of profile, the BIG-IP system can send client-initiated RADIUS messages to load balancing servers. The BIG-IP system can also ensure that those messages are persisted on the servers.

Task summary for RADIUS authentication of application traffic

To configure remote authentication for RADIUS traffic, you must create a configuration object and a profile that correspond to the RADIUS authentication server you are using to store your user accounts. You must also create a third type of object. This object is referred to as a server object.

Creating a RADIUS server object for authenticating application traffic remotely

A
RADIUS server object
represents the remote RADIUS server that the BIG-IP system uses to access authentication data.
  1. On the Main tab of the navigation pane, click
    Local Traffic
    Profiles
    .
  2. From the Authentication menu, choose
    RADIUS Servers
    .
  3. Click
    Create
    .
  4. In the
    Name
    field, type a unique name for the server object, such as
    my_radius_server
    .
  5. In the
    Host
    field, type the host name or IP address of the RADIUS server.
  6. In the
    Service Port
    field, type the port number for RADIUS authentication traffic, or retain the default value (
    1812
    ).
  7. In the
    Secret
    field, type the secret key used to encrypt and decrypt packets sent or received from the server.
  8. In the
    Confirm Secret
    field, re-type the secret you specified in the
    Secret
    field.
  9. In the
    Timeout
    field, type a timeout value, in seconds, or retain the default value (
    3
    ).
  10. Click
    Finished
    .
You now have a RADIUS server object that the RADIUS configuration object can reference.

Creating a RADIUS configuration object for authenticating application traffic remotely

The BIG-IP system configuration must include at least one RADIUS server object.
You use a RADIUS authentication module when your authentication data is stored on a remote RADIUS server. A
RADIUS configuration object
specifies information that the BIG-IP system needs to perform the remote authentication.
  1. On the Main tab of the navigation pane, click
    Local Traffic
    Profiles
    .
  2. From the Authentication menu, choose
    Configurations
    .
  3. Click
    Create
    .
  4. In the
    Name
    field, type a unique name for the configuration object, such as
    my_radius_config
    .
  5. From the
    Type
    list, select
    RADIUS
    .
  6. For the
    RADIUS Servers
    setting, select a RADIUS server name in the
    Available
    list, and using the Move button, move the name to the
    Selected
    list.
  7. In the
    Client ID
    field, type a string for the system to send in the
    Network Access Server (NAS)-Identifier
    RADIUS attribute.
  8. Click
    Finished
    .
You now have a RADIUS configuration object that a RADIUS profile can reference.

Creating a custom RADIUS profile

The next task in configuring RADIUS-based remote authentication on the BIG-IP® system is to create a custom RADIUS profile.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Authentication
    Profiles
    .
    The Profiles list screen opens.
  2. Click
    Create
    .
    The New Authentication Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select
    RADIUS
    from the
    Type
    list.
  5. Select
    radius
    in the
    Parent Profile
    list.
  6. Select the RADIUS configuration object that you created from the
    Configuration
    list.
  7. Click
    Finished
    .
The custom RADIUS profile appears in the
Profiles
list.

Modifying a virtual server for RADIUS authentication

The final task in the process of implementing authentication using a remote RADIUS server is to assign the custom RADIUS profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the
    Configuration
    list, select
    Advanced
    .
  4. For the
    Authentication Profiles
    setting, in the
    Available
    field, select a custom RADIUS profile, and using the
    Move
    button, move the custom RADIUS profile to the
    Selected
    field.
  5. Click
    Update
    to save the changes.
The virtual server is assigned the custom RADIUS profile.