Manual Chapter : Creating a RADIUS Client Configuration

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0
Manual Chapter

Creating a RADIUS Client Configuration

To configure the BIG-IP system as a RADIUS Authentication Server for privileged user access, create RADIUS Client Configurations in APM. Create a client configuration for each vendor supported by the backend resources.
  1. On the Main tab, click
    Access
    Ephemeral Authentication
    RADIUS Authentication Configuration
    Client Configuration
    .
  2. Click
    Create
    .
  3. For
    Name
    , type a name for the RADIUS Client Configuration.
  4. For
    NASIP
    , type the Network Access Server IP Address of the RADIUS Authentication Client. Both IPv4 and IPv6 IP addresses are supported.
    You create separate client configurations for each vendor needed; multiple client configurations with different NAS IPs can target the same vendor as well (for example, this helps with setting SSH session access permissions).
    This NAS IP can be configured as an AVP (Attribute Value Pair in the backend resource configuration file) as part of the RADIUS access request. All backend resources with the same NAS IP are uniquely mapped to one RADIUS client configuration.
  5. From the
    Vendor
    list, select the vendor name for the RADIUS Authentication Client; select from CISCO, BLUECOAT, F5, JUNIPER, or PALOALTO.
  6. For
    Host Group
    :
    1. After
      Host Group
      , type the name of a host group.
    2. For
      Privilege Level
      , specify a number that indicates the privilege level of the group.
    3. Click
      Add
      .
      The name is added to a list that shows the host group name with the privilege level appended to it. Create as many host groups as needed for your location.
    Host groups determine the user access levels. The privilege levels correspond to the numbers mentioned in vendor-specific standards. As a best practice, you can maintain common host group names across all client configurations (privilege levels can differ according to vendor standards). Host groups are published as part of the access policy session parameter in the Variable Assignment agent, where you might see this assignment:
    session.custom.ephemeral.groups = return {root_level;manager_level;viewer_level }
  7. Click
    Save
    .
  8. Create as many RADIUS Authentication Configuration Profiles as needed for the vendors that are supported.
The RADIUS Client Configuration is created. You will need to specify the clients in the RADIUS Authentication Configuration Profile.