Manual Chapter : Creating a RADIUS Authentication Configuration Profile

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

Creating a RADIUS Authentication Configuration Profile

To configure the BIG-IP system as a RADIUS Authentication Server for privileged user access, create a RADIUS Authentication Configuration Profile in APM.
  1. On the Main tab, click
    Access
    Ephemeral Authentication
    RADIUS Authentication Configuration
    Profile
    .
  2. Click
    Create
    .
  3. For
    Name
    , type a name for the RADIUS Authentication Configuration Profile.
  4. In the
    Client
    area, from the
    Available
    list, select the clients to associate with this profile and move them to the
    Selected
    list.
    You can add clients as needed by clicking
    +
    or using
    Access
    Ephemeral Authentication
    RADIUS Authentication Configuration
    Client Configuration
    .
  5. For
    Shared Secret
    , type the RADIUS key used to secure communication between the RADIUS client and server.
  6. Select
    Enable RADIUS Attributes
    to include privilege levels in the Attribute Value Pairs in the RADIUS response.
    If you do not configure any RADIUS Clients and this is enabled, Cisco is used as the default.
  7. For
    RADIUS User Groups Session Variable
    , type the session variable that can be used to read RADIUS user groups. Default is
    session.custom.ephemeral.groups
    and this needs to be specified in the access policy (in this example, it is added in the Variable Assign).
    The user groups provide information for calculating privilege levels in RADIUS Attribute Value Pairs. The system uses string comparison to match the user group so the name must match exactly with regard to case.
  8. For
    Bypass User List
    , type the usernames of users that can skip ephemeral authentication, and click
    Add
    .
    If the names match, ephemeral authentication is skipped, and the request is forwarded directly to the backend RADIUS server (pool) where the user is authenticated.
  9. For
    Deny User List
    , add the usernames of users that will be refused access, and for whom RADIUS requests will fail.
  10. Click
    Save
    .
The RADIUS Authentication Configuration Profile is created.
Later you will need to link the RADIUS Authentication Configuration Profile and an Ephemeral Authentication Configuration (the same one associated with the Ephemeral Authentication virtual server) to a RADIUS virtual server.