Applies To:

Show Versions Show Versions

Manual Chapter: RADIUS User Authentication
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

RADIUS User Authentication

Use my RADIUS server to authenticate and authorize BIG-IQ users

F5® BIG-IQ® Centralized Management can verify user credentials against your company's RADIUS server. After you set up BIG-IQ to use your RADIUS server, you can add users and user groups authorized by that server.

Before integrating BIG-IQ with your RADIUS server for authentication and authorization

Before you set up BIG-IQ Centralized Management for authentication and authorization with your RADIUS server, gather the following information.

Required Information This is For my RADIUS server
Name The name of your RADIUS server.  
Host The IP address or host name of your RADIUS server.  
Port The port number of your RADIUS server.  
Secret The case-sensitive text string used to validate communication.  
Test user name and password A user name and password, authenticated on your RADIUS server.  
Key and Value properties for your RADIUS server The RADIUS server uses this for authentication and encryption.  

Set up BIG-IQ to use my RADIUS server for user authentication

Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license F5 BIG-IQ Centralized Management.

You can set up BIG-IQ to use your company's RADIUS server. You can add two additional backup RADIUS servers in case the primary server is not available for authentication.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers.
  3. Click the Add button.
  4. From the Provider Type list, select RADIUS.
  5. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  6. For the Servers setting, In the Host and Port fields, type the RADIUS server's IP address (or fully qualified domain name) and port number for each of the servers you want to configure.

    The primary server is mandatory. A secondary server and tertiary server, which will be used if the primary or secondary servers fail, are optional.

  7. In the Secret field, type the case-sensitive text string used to validate communication.
  8. In the Test User and Test Password fields, type a user and password, then click the Test button to verify that BIG-IQ can reach the RADIUS server
  9. Click the Save & Close button at the bottom of the screen.
You can now associate RADIUS server users and groups with BIG-IQ system roles.

Update BIG-IQ dictionary with vendor-specific RADIUS attributes

You must have root access to the BIG-IQ system's command line through SSH for this procedure.

Some RADIUS deployments include non-standard, vendor-specific attributes in the dictionary files. For these deployments, you must update the BIG-IQ system's default dictionary.

  1. Copy the TinyRadius .jar file from the BIG-IQ system.
  2. Extract the contents of the TinyRadius .jar file.
  3. Update the file org/tinyradius/dictionary/default_dictionary file, by adding the vendor-specific attributes.
  4. Repack the contents into a new .jar file.
  5. Replace the old TinyRadius .jar on each BIG-IQ system with the new TinyRadius .jar file you created in step 4.

For example:

  1. From a Linux machine, copy the TinyRadius .jar file to your BIG-IQ system by typing: scp <big-iq-user>@<BIG-IQ-Address>:/usr/share/java/TinyRadius-1.0.jar ~/tmp/tinyrad-upgrade/
  2. Extract the file on your Linux Machine by typing: jar -xvf TinyRadius-1.0.jar
  3. Edit the org/tinyradius/dictionary/default_dictionary, adding the vendor-specific attribute.
    rm TinyRadius-1.0.jar
    jar cvf TinyRadius-1.0.jar *
    
    
  4. Update the jar on the BIG-IQ system by typing: scp TinyRadius-1.0.jar <your_user>@<BIG-IQ address>:/var/tmp/
  5. SSH to the BIG-IQ system and type the following commands:
    mount -o remount,rw /usr
    cp /var/tmp/TinyRadius-1.0.jar /usr/share/java
    mount -o remount,ro /usr
    bigstart restart restjavad
    
    
  6. Repeat steps 4 and 5 for each BIG-IQ in a HA configuration.
Now you can use the vendor-specific attributes RADIUS to create your user groups on BIG-IQ.

Add a user authenticated by my LDAP server and associate it with a role

If you want to add a user authenticated against your LDAP server, you first have to set up F5 BIG-IQ Centralized Management with your LDAP server settings.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of BIG-IQ by adding them as a user user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Important: You must associate this user with a LDAP-authenticated role, or authentication will fail.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users.
  3. Click the Add button.
  4. From the Auth Provider list, select LDAP.
  5. In the User Name and Full Name fields, type the names for this user.

    The full name can contain a combination of symbols, letters, numbers and spaces.

  6. In the Password and Confirm Password fields, type the password for this new locally-authenticated user.
    You can change the password any time.
  7. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  8. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  9. Click the Save & Close button.

Create a user group authorized by your RADIUS server

Before you can add a RADIUS-authenticated user group, you must set up BIG-IQ to use your company's RADIUS server for user authentication on the USER MANAGEMENT > Auth Providers screen
Create a user group to offer individual users the same privileges on F5 BIG-IQ Centralized Management. This user group will be authorized by your RADIUS server.
Important: If a user does not belong to a RADIUS-authenticated user group, authentication will fail.
  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > USER GROUPS.
    The User Groups screen opens.
  3. Click the Add button.
  4. In the Name field, type a name for this new user group.
  5. From the Auth Provider list, select RADIUS.
  6. In the Key and Value fields, type the properties for your RADIUS server.
  7. From the User Roles list, select the user role you want to associate with this user.
    You aren't required to associate a user role at this point; you can do that later. If you want to add another user role, click +.
  8. Click the Save & Close button.
You can now associate users with this user group.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)