Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Multiple Authentication Servers
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

27 
One of the features of the BIG-IP® system is its ability to authenticate local administrative traffic when user accounts are stored on a remote LDAP, RADIUS, or TACACS+ server. In fact, the BIG-IP system allows you to configure the use of not just one, but two remote servers for authenticating local administrative traffic. For most customers, this ability to configure one or two remote authentication servers is more than sufficient. However, there are two potential issues:
Some customers need more than two remote servers for local authentication.
During authentication, the BIG-IP system queries the servers in a certain order (server 1, then server 2) even when one or more servers are unavailable. This can lead to a TCP timeout occurring on every incoming connection, resulting in performance degradation.
To solve these problems, you can create virtual authentication servers. A virtual authentication server is a virtual server that you configure to act as an additional remote LDAP, RADIUS, or TACACS+ server. You can configure as many virtual authentication servers as you need.
First, you create a health monitor to monitor the server nodes and mark them as up or down.
You then create a server object (for RADIUS servers only) and an authentication configuration object.
Next, you create a load-balancing pool, where multiple authentication servers are members of that pool and are monitored with the monitor you previously created. For those server nodes marked as down, the BIG-IP system refrains from querying them during authentication.
Finally, you create a virtual authentication server, associate it with the pool of servers, and configure your applications to target that virtual server.
Note: As an alternative to associating the pool with the virtual server, you can associate the pool with each proxy or authentication source directly.
The remainder of this chapter describes how to successfully create a multiple authentication server configuration. For example purposes only, the information is written for RADIUS servers, but it applies to LDAP or TACACS+ servers also, except for some minor differences: If your servers are LDAP or TACACS+ servers, any information about RADIUS secrets does not apply. Also, you should replace any mention of a RADIUS configuration object with an LDAP or TACACS+ configuration object. Finally, you can ignore any information that pertains to a RADIUS server object.
The RADIUS secret must be the same for all RADIUS servers.
The address of the virtual server that you create to reference the RADIUS pool cannot be a loopback address.
The virtual server that references the RADIUS pool must be in the same VLAN as the RADIUS servers.
For example, if the RADIUS server addresses are 10.1.1.10 and 10.1.1.11 and reside in the VLAN internal, then you must associate the RADIUS pool with a virtual server that is routable to those addresses (such as 10.1.1.99). This causes the source address of the RADIUS traffic to be the self IP address of VLAN internal, rather than the virtual server address.
To create a multiple RADIUS server configuration, you need to configure a few local-traffic objects. Table 27.1 shows these objects, as well as the Configuration utility screens you use to create these objects. Note that the screens are all available in the Configuration utility from Main tab, under Local Traffic. For additional information on using these screens, see the online help.
Configuration utility screen
Figure 27.1 shows relevant sample entries in the bigip.conf file.
As seen in Figure 27.1, you configure these BIG-IP system objects:
A RADIUS monitor named my_radius_monitor.
A RADIUS server object named system_auth_name1 with IP address and port 10.1.1.99:1645.
A RADIUS configuration object named system-auto that references the RADIUS server object.
A pool named radius_pool that references the RADIUS monitor and contains two pool members (10.1.1.10:1812 and 10.1.1.12:1645).
Note that port 1812 is the registered port number for the RADIUS service.
A virtual authentication server named radius_virtual_server that references the pool radius_pool and uses the same IP address and port as the RADIUS server object.
Note that this virtual server is defined on the same VLAN as the RADIUS servers in the pool.
Once you have added entries to the bigip.conf file that are similar to those in the above example, you can use the virtual server as a virtual remote authentication server.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)