Manual Chapter :
Configuring Remote RADIUS Authentication
Applies To:
Show Versions
BIG-IP LTM
- 15.0.1, 15.0.0
Configuring Remote RADIUS Authentication
Overview of remote authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any
network traffic passing through the BIG-IP system. This type of traffic passes through a virtual
server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers
typically use one of these protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must
create a configuration object and a profile that correspond to the type of authentication server
you are using to store your user accounts. For example, if your remote authentication server is
an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a
RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object.
For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP
authentication, this object is referred to as an OCSP responder.
About RADIUS profiles
The BIG-IP® system includes a profile type that you can use to load
balance Remote Authentication Dial-In User Service (RADIUS) traffic.
When you configure a RADIUS type of profile, the BIG-IP system can send client-initiated RADIUS messages to load balancing servers. The BIG-IP system can also ensure that those messages are persisted on the servers.
Task summary for RADIUS authentication of application traffic
To configure remote authentication for RADIUS traffic, you must create a configuration object
and a profile that correspond to the RADIUS authentication server you are using to store your
user accounts. You must also create a third type of object. This object is referred to as a
server object.
Creating a RADIUS server object for authenticating application traffic remotely
A
RADIUS server object
represents the remote RADIUS server that the BIG-IP system uses to access authentication data.
- On the Main tab of the navigation pane, click .
- From the Authentication menu, chooseRADIUS Servers.
- ClickCreate.
- In theNamefield, type a unique name for the server object, such asmy_radius_server.
- In theHostfield, type the host name or IP address of the RADIUS server.
- In theService Portfield, type the port number for RADIUS authentication traffic, or retain the default value (1812).
- In theSecretfield, type the secret key used to encrypt and decrypt packets sent or received from the server.
- In theConfirm Secretfield, re-type the secret you specified in theSecretfield.
- In theTimeoutfield, type a timeout value, in seconds, or retain the default value (3).
- ClickFinished.
You now have a RADIUS server object that the RADIUS configuration object can reference.
Creating a RADIUS configuration object for authenticating application traffic remotely
The BIG-IP system configuration must include at least one RADIUS server object.
You use a RADIUS authentication module when your authentication data is stored on a remote RADIUS server. A
RADIUS configuration object
specifies information that the BIG-IP system needs to perform the remote authentication.
- On the Main tab of the navigation pane, click .
- From the Authentication menu, chooseConfigurations.
- ClickCreate.
- In theNamefield, type a unique name for the configuration object, such asmy_radius_config.
- From theTypelist, selectRADIUS.
- For theRADIUS Serverssetting, select a RADIUS server name in theAvailablelist, and using the Move button, move the name to theSelectedlist.
- In theClient IDfield, type a string for the system to send in theNetwork Access Server (NAS)-IdentifierRADIUS attribute.
- ClickFinished.
You now have a RADIUS configuration object that a RADIUS profile can reference.
Creating a custom
RADIUS profile
The next task in configuring RADIUS-based remote
authentication on the BIG-IP® system is to
create a custom RADIUS profile.
- On the Main tab, click .The Profiles list screen opens.
- ClickCreate.The New Authentication Profile screen opens.
- In theNamefield, type a unique name for the profile.
- SelectRADIUSfrom theTypelist.
- Selectradiusin theParent Profilelist.
- Select the RADIUS configuration object that you created from theConfigurationlist.
- ClickFinished.
The custom RADIUS profile appears in the
Profiles
list.Modifying a virtual
server for RADIUS authentication
The final task in the process of implementing
authentication using a remote RADIUS server is to assign the custom RADIUS profile to a
virtual server that is configured to process HTTP traffic (that is, a virtual server to
which an HTTP profile is assigned).
- On the Main tab, click .The Virtual Server List screen opens.
- Click the name of a virtual server.
- From theConfigurationlist, selectAdvanced.
- For theAuthentication Profilessetting, in theAvailablefield, select a custom RADIUS profile, and using theMovebutton, move the custom RADIUS profile to theSelectedfield.
- ClickUpdateto save the changes.
The virtual server is assigned the custom RADIUS profile.
