Forum Discussion

Cirrus

Oct 18, 2023

Solved

F5 BigIP v.15 integration with Windows 2016 NPS

I am trying to sort out the F5 attributes within a Windows 2016 NPS server. I have the Azure MFA prompts working however due to unset attributes within NPS my admin AD user is not permitted to login into the F5 ADMIN page.

Need better understanding on how to configure vendor specific attributes to allow users in as ADMIN, Operator, READONLY. Currently I have a condition set to an AD sec. group within the network policy which we have used in the past with the LDAP connector.

Tried the F5 KB articles but cannot make sense of how this would be configured on the Windows NPS server side. Thank you.

security

viziony
Oct 20, 2023
I was able to get this to finally work using a combination of articles here :
https://my.f5.com/manage/s/article/K14324
https://community.f5.com/t5/technical-forum/how-to-add-f5-vendor-specific-radius-attirbutes-to-windows-2008/td-p/26713
You want your Windows NPS server to return the attribute value of 0 (0=admin or whatever # using the F5 VSA article) to F5 BIGIP to let that user in.
Here are some screen shots of the network policy.
You want to define the vendor code to 3375 (F5)
You want to set the vendor-assigned attribute number to 1 which the F5 line for the user role (that can be found in that f5 article) :
ATTRIBUTE F5-LTM-User-Role 1 integer
You want that vendor-assigned attribute number of 1 to pass the DECIMAL value of 0 which is the admin level to the load balancer.

3 Replies

Leslie_Hubertus
Ret. Employee
Oct 19, 2023
viziony - the article How I did It - “Integrating Azure MFA with the BIG-IP” might help, and if not the author may be able to help
viziony
Cirrus
Oct 20, 2023
I was able to get this to finally work using a combination of articles here :
https://my.f5.com/manage/s/article/K14324
https://community.f5.com/t5/technical-forum/how-to-add-f5-vendor-specific-radius-attirbutes-to-windows-2008/td-p/26713
You want your Windows NPS server to return the attribute value of 0 (0=admin or whatever # using the F5 VSA article) to F5 BIGIP to let that user in.
Here are some screen shots of the network policy.
You want to define the vendor code to 3375 (F5)
You want to set the vendor-assigned attribute number to 1 which the F5 line for the user role (that can be found in that f5 article) :
ATTRIBUTE F5-LTM-User-Role 1 integer
You want that vendor-assigned attribute number of 1 to pass the DECIMAL value of 0 which is the admin level to the load balancer.
- Leslie_Hubertus
  Ret. Employee
  Oct 20, 2023
  Thanks for sharing your solution so future users can see what to do!

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

F5 BigIP v.15 integration with Windows 2016 NPS

3 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Disastser Recovery

F5 breaking Exchange authentication

Dump all host running services during APM logon

External Data Group Import Failing.

Can F5 restrict the file types transferred via FTP?

Related Content

Integrating the F5 BIGIP with Azure Sentinel

Identity-centric F5 ADSP Integration Walkthrough

Re: BigIP Report

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

F5 BIG-IP AFM and FireMon Integration Guide

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS