Forum Discussion

Cirrus

Oct 18, 2023

F5 BigIP v.15 integration with Windows 2016 NPS

I am trying to sort out the F5 attributes within a Windows 2016 NPS server. I have the Azure MFA prompts working however due to unset attributes within NPS my admin AD user is not permitted to login into the F5 ADMIN page.

Need better understanding on how to configure vendor specific attributes to allow users in as ADMIN, Operator, READONLY. Currently I have a condition set to an AD sec. group within the network policy which we have used in the past with the LDAP connector.

Tried the F5 KB articles but cannot make sense of how this would be configured on the Windows NPS server side. Thank you.

security

viziony
Oct 20, 2023
I was able to get this to finally work using a combination of articles here :
https://my.f5.com/manage/s/article/K14324
https://community.f5.com/t5/technical-forum/how-to-add-f5-vendor-specific-radius-attirbutes-to-windows-2008/td-p/26713
You want your Windows NPS server to return the attribute value of 0 (0=admin or whatever # using the F5 VSA article) to F5 BIGIP to let that user in.
Here are some screen shots of the network policy.
You want to define the vendor code to 3375 (F5)
You want to set the vendor-assigned attribute number to 1 which the F5 line for the user role (that can be found in that f5 article) :
ATTRIBUTE F5-LTM-User-Role 1 integer
You want that vendor-assigned attribute number of 1 to pass the DECIMAL value of 0 which is the admin level to the load balancer.

Leslie_Hubertus
Ret. Employee
Oct 19, 2023
viziony - the article How I did It - “Integrating Azure MFA with the BIG-IP” might help, and if not the author may be able to help
viziony
Cirrus
Oct 20, 2023
I was able to get this to finally work using a combination of articles here :
https://my.f5.com/manage/s/article/K14324
https://community.f5.com/t5/technical-forum/how-to-add-f5-vendor-specific-radius-attirbutes-to-windows-2008/td-p/26713
You want your Windows NPS server to return the attribute value of 0 (0=admin or whatever # using the F5 VSA article) to F5 BIGIP to let that user in.
Here are some screen shots of the network policy.
You want to define the vendor code to 3375 (F5)
You want to set the vendor-assigned attribute number to 1 which the F5 line for the user role (that can be found in that f5 article) :
ATTRIBUTE F5-LTM-User-Role 1 integer
You want that vendor-assigned attribute number of 1 to pass the DECIMAL value of 0 which is the admin level to the load balancer.
- Leslie_Hubertus
  Ret. Employee
  Oct 20, 2023
  Thanks for sharing your solution so future users can see what to do!

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

F5 BigIP v.15 integration with Windows 2016 NPS

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Re: BigIP Report

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Windows Critical RCE Vulnerability, Malicious Solana-py, and EDRKillShifter

Integrate BIG-IP with AWS CloudWAN Service Insertion

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS