Applies To:
Show VersionsBIG-IP APM
- 13.1.3, 13.1.1, 13.1.0
About RADIUS authentication
Access Policy Manager® supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, Access Policy Manager authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.
How RADIUS works
- The client requests access to network resources through Access Policy Manager.
- Access Policy Manager then issues a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access.
- The RADIUS server then processes the request, and issues one of three responses to Access Policy Manager: Access Accept, Access Challenge, or Access Reject.
About AAA high availability
Using AAA high availability with Access Policy Manager® (APM®), you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual.
APM supports the following AAA servers for high availability: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+. APM supports high availability by providing the option to create a pool of server connections when you configure the supported type of AAA server.
Guidelines for setting up RADIUS authentication for AAA high availability
When you use RADIUS as the authentication method for AAA high availability, there are general guidelines that you must follow when you set up your server connections.
- In a non-high availability environment, both the Direct and Use Pool options use the self IP address as a source IP address of the packet reaching the RADIUS server. For this scenario, you just need to add one IP address to the RADIUS allowed IP list to achieve this.
- In a high availability environment where the Use Pool option is used, the floating self IP address is used as a source IP of the RADIUS packet reaching the back-end. For this scenario, you need to add one self IP address (which is floating self IP address) to the RADIUS allowed IP list because the IP address is used even after a failover occurs.
- In a high availability environment where the Direct option is used, the self IP address is used as a source IP address of the RADIUS packet reaching the back-end. In this scenario, you need to add the self IP address from both active and standby devices to the RADIUS allowed IP list so that when failover occurs, the self IP address from the second device is accepted by the RADIUS server.
About how APM handles binary values in RADIUS attributes
For RADIUS authentication, Access Policy Manager® (APM®) converts an attribute value to hex if it contains unprintable characters, or if it is the class attribute. APM converts the class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.
An attribute with a single unprintable value
1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007
Attribute with multiple values, both printable and unprintable (binary)
243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006
An attribute type that does not require hex encoding with both printable and unprintable values
3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1
In this case, only values that are unprintable are encoded to hex.
Task summary for RADIUS authentication
This task list includes all steps required to set up this configuration. If you add RADIUS authentication to an existing access policy, you already have an access profile configured and the access policy might already include a logon access policy item.
Task list
Configuring a RADIUS AAA server in APM
Creating an access profile
Verifying log settings for the access profile
Using RADIUS authentication in an access policy
Creating a virtual server
Testing AAA high availability for supported authentication servers
- Begin a tcpdump on the Access Policy Manager®, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
- Log in to the virtual server with both servers active.
- Using the tcpdump records, verify that the requests are being sent to the higher priority server.
- Log out of the virtual server.
- Disable the higher-priority server.
- Log in to the virtual server again.
- Verify that the request is being sent to the other server.
- Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.
RADIUS attributes
The following table lists the specific RADIUS attributes that Access Policy Manager® sends with RADIUS requests.
Attribute | Purpose |
---|---|
User-Name | Indicates the name of the authenticated user. |
User-Password | Indicates the password of the authenticated user. |
NAS-IP-Address | Indicates the identifying IP Address of the NAS. |
NAS-IPv6-Address | Indicates the identifying IPv6 Address of the NAS. |
NAS-Identifier | Indicates the identifying name of the NAS . |
Service-Type | Indicates the type of service the user has requested. |
NAS-Port | Indicates the physical port number of the NAS that is authenticating the user. |
RADIUS session variables for access policy rules
When the RADIUS Auth access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the RADIUS authentication access policy item and for a logon access policy item.
Session variables for RADIUS
Session Variable | Description |
---|---|
session.RADIUS.last.result | Provides the result of the RADIUS authentication. The available values are:
|
session.RADIUS.last.attr.$attr_name | $attr_name is a value that represents the user’s attributes received during RADIUS authentication. Each attribute is converted to separate session variables. |
session.RADIUS.last.errmsg | Displays the error message for the last login. If
session.RADIUS.last.result is set to 0, then
session.RADIUS.last.errmsg might be useful for troubleshooting
purposes. Example:
c76a50c0.session.RADIUS.last.errmsg 13 Access-Reject |
Common session variables
Session Variable | Description |
---|---|
session.logon.last.username | Provides user credentials. The username string is stored after encrypting, using the system's client key. |
session.logon.last.password | Provides user credentials. The password string is stored after encrypting, using the system's client key. |
RADIUS authentication and accounting troubleshooting tips
You might run into problems with RADIUS authentication and accounting in some instances. Follow these tips to try to resolve any issues you might encounter.
RADIUS authentication and accounting access policy action troubleshooting
Possible error messages | Possible explanations and actions |
---|---|
Authentication failed due to timeout |
|
Authentication failed due to RADIUS access reject |
|
Additional troubleshooting tips for RADIUS authentication and accounting
Action | Steps |
---|---|
Check to see if your access policy is attempting to perform authentication |
Note: Make sure that your log level is set to the appropriate level. The default
log level is notice.
|
Check the RADIUS Server configuration |
|
Confirm network connectivity |
|
Capture a TCP dump |
Important: If you decide to escalate the issue to customer support, you must
provide a capture of the TCP dump when you encounter authentication issues that you cannot
otherwise resolve on your own.
|