Applies To:
Show VersionsBIG-IP LTM
- 13.1.0, 13.0.1, 13.0.0
Overview of remote authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.
About RADIUS profiles
The BIG-IP® system includes a profile type that you can use to load balance Remote Authentication Dial-In User Service (RADIUS) traffic.
When you configure a RADIUS type of profile, the BIG-IP system can send client-initiated RADIUS messages to load balancing servers. The BIG-IP system can also ensure that those messages are persisted on the servers.
Task summary for RADIUS authentication of application traffic
To configure remote authentication for RADIUS traffic, you must create a configuration object and a profile that correspond to the RADIUS authentication server you are using to store your user accounts. You must also create a third type of object. This object is referred to as a server object.
Task list
Creating a RADIUS server object for authenticating application traffic remotely
- On the Main tab of the navigation pane, click .
- From the Authentication menu, choose RADIUS Servers.
- Click Create.
- In the Namefield, type a unique name for the server object, such asmy_radius_server.
- In the Host field, type the host name or IP address of the RADIUS server.
- In the Service Port field, type the port number for RADIUS authentication traffic, or retain the default value (1812).
- In the Secret field, type the secret key used to encrypt and decrypt packets sent or received from the server.
- In the Confirm Secret field, re-type the secret you specified in the Secret field.
- In the Timeout field, type a timeout value, in seconds, or retain the default value (3).
- Click Finished.
Creating a RADIUS configuration object for authenticating application traffic remotely
- On the Main tab of the navigation pane, click .
- From the Authentication menu, choose Configurations.
- Click Create.
- In the Name field, type a unique name for the configuration object, such asmy_radius_config.
- From the Type list, select RADIUS.
- For the RADIUS Serverssetting, select a RADIUS server name in the Available list, and using the Move button, move the name to the Selected list.
- In the Client ID field, type a string for the system to send in the Network Access Server (NAS)-Identifier RADIUS attribute.
- Click Finished.