Manual Chapter : RADIUS Authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.1
Manual Chapter

About RADIUS authentication

Access Policy Manager supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, Access Policy Manager authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.

How RADIUS works How RADIUS works
  • The client requests access to network resources through Access Policy Manager.
  • Access Policy Manager then issues a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access.
  • The RADIUS server then processes the request, and issues one of three responses to Access Policy Manager: Access Accept, Access Challenge, or Access Reject.

About AAA high availability

Using AAA high availability with Access Policy Manager (APM), you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual.

Note: Although new authentications fail if the BIG-IP system loses connectivity to the server, existing sessions are unaffected provided that they do not attempt to re-authenticate.

APM supports the following AAA servers for high availability: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+. APM supports high availability by providing the option to create a pool of server connections when you configure the supported type of AAA server.

Note: If you use AAA with pools, such as RADIUS pools or Active Directory pools, APM assigns each pool member with a different number for the pool member's priority group value. Since APM does not support AAA load balancing, APM must define each pool member with a different priority group. The priority group number increases automatically with each created pool member.

Guidelines for setting up RADIUS authentication for AAA high availability

When you use RADIUS as the authentication method for AAA high availability, there are general guidelines that you must follow when you set up your server connections.

  • In a non-high availability environment, both the Direct and Use Pool options use the self IP address as a source IP address of the packet reaching the RADIUS server. For this scenario, you just need to add one IP address to the RADIUS allowed IP list to achieve this.
  • In a high availability environment where the Use Pool option is used, the floating self IP address is used as a source IP of the RADIUS packet reaching the back-end. For this scenario, you need to add one self IP address (which is floating self IP address) to the RADIUS allowed IP list because the IP address is used even after a failover occurs.
  • In a high availability environment where the Direct option is used, the self IP address is used as a source IP address of the RADIUS packet reaching the back-end. In this scenario, you need to add the self IP address from both active and standby devices to the RADIUS allowed IP list so that when failover occurs, the self IP address from the second device is accepted by the RADIUS server.

About how APM handles binary values in RADIUS attributes

For RADIUS authentication, Access Policy Manager (APM) converts an attribute value to hex if it contains unprintable characters, or if it is the class attribute. APM converts the class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.

Case 1:

Handling of attributes with single value:

1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007

Case 2:

Handling of attributes with multiple values (mix of binary and non-binary values):

243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006

If the attribute type does not require hex encoding, and some of the values are unprintable, then only those value(s) are encoded to hex.

3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1

Task summary for RADIUS authentication

This task list includes all steps required to set up this configuration. If you add RADIUS authentication to an existing access policy, you already have an access profile configured and the access policy might already include a logon access policy item.

Task list

Configuring a RADIUS AAA server in APM

The Access Policy Manager (APM) is a network access server (NAS) that operates as a client of the server configured here.
  1. On the Main tab, click Access Policy > AAA Servers. The AAA Servers list screen opens.
  2. On the Main tab, click Access Policy > AAA Servers > RADIUS. The RADIUS Servers screen displays.
  3. Click Create. The New Server properties screen opens.
  4. In the Name field, type a unique name for the authentication server.
  5. For the Mode setting, select Authentication.
  6. For the Server Connection setting, select one of these options:
    • Select Use Pool to set up high availability for the AAA server.
    • Select Direct to set up the AAA server for standalone functionality.
  7. If you selected Use Pool, type a name in the Server Pool Name field. You create a pool of servers on this screen.
  8. Provide the addresses required for your server connection:
    • If you selected Direct, type an IP address in the Server Address field.
    • If you selected Use Pool, for each pool member you want to add, type an IP address and click Add.
      Note: When you configure a pool, you have the option to type the server address in route domain format: IPAddress%RouteDomain.
  9. In the Authentication Service Port field, type the authentication port number of your server. The default is 1812.
  10. In the Secret field, type the shared secret password of the server.
  11. In the Confirm Secret field, re-type the shared secret password of the server.
  12. Click Finished. The new server displays on the list.
The new AAA server displays on the RADIUS Servers list.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile.
  4. From the Profile Type list, select one:
    • APM-LTM - Select for a web access management configuration.
    • SSO - Select only when you do not need to configure an access policy.
    • SWG - Explicit - Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent - Select to configure access using Secure Web Gateway transparent forward proxy.
    • SSL-VPN - Select for other types of access, such as network access, portal access, application access. (Most access policy items are available for this type.)
    • ALL - Select for any type of access.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
This creates an access profile with a default access policy.

Using RADIUS authentication in an access policy

You configure an access policy with a RADIUS Auth action to provide RADIUS authentication as one of authentication options for users trying to gain accesss.
Note: You can use RADIUS authentication in addition to other authentication types. You can require that users pass at least one type of authentication or that they pass multiple types of authentication.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click Save. The properties screen closes and the visual policy editor displays.
  6. Click the (+) icon anywhere in the access policy to add a new action item. A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  7. From the Authentication tab, select RADIUS Auth and click Add Item. The popup screen closes. A Properties popup screen opens.
  8. On the Properties popup screen from the AAA Server listselect the AAA RADIUS server you configured previously and click Save. The popup screen closes and the visual policy editor displays.
  9. Complete the access policy:
    1. Add any additional access policy items you require.
    2. Change the ending from Deny to Allow on any access policy branch on which you want to grant access.
  10. Click Apply Access Policy to save your configuration.
This creates an access policy that collects user credentials and uses them to authenticat with a RADIUS server..
For an access policy to go into effect on network traffic, you must add the access profile to a virtual server.

Creating a virtual server

When creating a virtual server for an access policy, specify that the virtual server is a host virtual server, and not a network virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select Host and in the Address field, type the IP address for the virtual server.
  5. In the Service Port field, type a port number or select a service name from the Service Port list.
  6. From the HTTP Profile list, select http.
  7. If you use server SSL for this connection, from the SSL Profile (Server) list, select a server SSL profile.
  8. If you use client SSL for this profile, from the SSL Profile (Client) list, select a client SSL profile.
  9. In the Access Policy area, from the Access Profile list, select the access profile.
  10. From the Connectivity Profile list, select a connectivity profile. You can select the default connectivity profile, connectivity if you have not defined a specific profile for the traffic that is directed to this virtual server.
  11. Click Finished.
You have configured a host virtual server and associated an access profile with it.

Testing AAA high availability for supported authentication servers

To effectively test that high availability works for your authentication servers, you should have two servers that are accessible, where you can remove one of them from the network.
Note: High availability is supported for these authentication server types only: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+.
If you configured a supported authentication server type to use a pool of connection servers, you can test the configuration using these steps.
  1. Begin a tcpdump on the Access Policy Manager, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
  2. Log in to the virtual server with both servers active.
  3. Using the tcpdump records, verify that the requests are being sent to the higher priority server.
  4. Log out of the virtual server.
  5. Disable the higher-priority server.
  6. Log in to the virtual server again.
  7. Verify that the request is being sent to the other server.
  8. Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.

RADIUS attributes

The following table lists the specific RADIUS attributes that Access Policy Manager sends with RADIUS requests.

Attribute Purpose
User-Name Indicates the name of the authenticated user.
User-Password Indicates the password of the authenticated user.
NAS-IP-Address Indicates the identifying IP Address of the NAS.
NAS-IPv6-Address Indicates the identifying IPv6 Address of the NAS.
NAS-Identifier Indicates the identifying name of the NAS .
Service-Type Indicates the type of service the user has requested.
NAS-Port Indicates the physical port number of the NAS that is authenticating the user.

RADIUS session variables for access policy rules

When the RADIUS Auth access policy item runs, it populates session variables which are then available for use in access policy rules. The tables list the session variables for the RADIUS authentication access policy item and for a logon access policy item.

Session variables for RADIUS

Session Variable Description
session.RADIUS.last.result Provides the result of the RADIUS authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.RADIUS.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received during RADIUS authentication. Each attribute is converted to separate session variables.
session.RADIUS.last.errmsg Displays the error message for the last login. If session.RADIUS.last.result is set to 0, then session.RADIUS.last.errmsg might be useful for troubleshooting purposes. Example: c76a50c0.session.RADIUS.last.errmsg 13 Access-Reject

Common session variables

Session Variable Description
session.logon.last.username Provides user credentials. The username string is stored after encrypting, using the system's client key.
session.logon.last.password Provides user credentials. The password string is stored after encrypting, using the system's client key.

RADIUS authentication and accounting troubleshooting tips

You might run into problems with RADIUS authentication and accounting in some instances. Follow these tips to try to resolve any issues you might encounter.

RADIUS authentication and accounting access policy action troubleshooting

Possible error messages Possible explanations and actions
Authentication failed due to timeout
  • Verify that Access Policy Manager is configured as a client on the RADIUS server.
  • You might have encountered a general network connection problem.
Authentication failed due to RADIUS access reject
  • Verify that the shared secret on the RADIUS server is valid.
  • Verify that user credentials are entered correctly.

Additional troubleshooting tips for RADIUS authentication and accounting

Action Steps
Check to see if your access policy is attempting to perform authentication
  • Add message boxes to your access policy to display information about what the access policy is attempting to do.
  • Refer to/var/log/apm to view authentication and accounting attempts by the access policy.
Note: Make sure that your log level is set to the appropriate level. The default log level is notice.
Check the RADIUS Server configuration
  • Confirm that the Access Policy Manager is registered as a RADIUS client. Since the Access Policy Manager makes requests from the self IP address to the RADIUS server for authentication requests, the address of the self-IP address should be registered as a RADIUS client.
  • Check the RADIUS logs and check for any errors.
Confirm network connectivity
  • Access the BIG-IP system through the command line interface and check your connectivity by pinging the RADIUS server using the host entry in the AAA Server box.
  • Confirm that the RADIUS port 1812 is not blocked between the Access Policy Manager and the RADIUS server.
Capture a TCP dump
  • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %TCP dump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP address is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server.
  • Run the authentication test. After authentication fails, stop the TCP dump, download the TCP dump records to a client system, and use an analyzer to troubleshoot.
Important: If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.