Forum Discussion
ghost-rider_124
Nimbostratus
NimbostratusF5 Radius Authentication for admins
Hello Experts
I need to configure radius authentication for admin users on F5 LTM. The questions are:
1- When I configure radius server (system -> users -> authentication -> Change Local to Radius Server) then this radius server would be used for all users, locally configured on F5 ? I need some users should be able to authenticate locally, like admin account, So if radius is unreachable then I should have one account to login locally.
2- When user is configure locally and same user is also on radius then what would be the preference?
3- How I can assign different permissions to different users through radius.
Kindly give your inputs
I want admin user authentication should be done locally and rest of users should through radius. Is that doable?
If a remote authentication method is specified for system user accounts, the BIG-IP local database still authenticates the system maintenance accounts mentioned above. This ensures that if the remote authentication device is unreachable, the system maintenance accounts can still access the BIG-IP system.sol12173: Overview of BIG-IP administrative access controls
https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.htmlIf user are on both local and radius and radius server is unreachable then user would be able to authenticate locally?
no
Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group.
yes (radius server is used for authentication but local user setting is used for authorization).
nitass_89166Noctilucent
1- When I configure radius server (system -> users -> authentication -> Change Local to Radius Server) then this radius server would be used for all users, locally configured on F5 ?
sol12173: Overview of BIG-IP administrative access controls
https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.html2- When user is configure locally and same user is also on radius then what would be the preference?
password is checked against radius but user setting locally is used.
3- How I can assign different permissions to different users through radius.
sol14324: Using F5 vendor-specific attributes with RADIUS authentication (11.x)
https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html- ghost-rider_124Thanks Nitass. That helps. My few questions are: 1- I want admin user authentication should be done locally and rest of users should through radius. Is that doable? Because when I change (system -> users -> authentication -> Change Local to Radius Server) it will apply for all users right? 2- If user are on both local and radius and radius server is unreachable then user would be able to authenticate locally? 3- Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group. Appreciated your time and reply
nitassEmployee
1- When I configure radius server (system -> users -> authentication -> Change Local to Radius Server) then this radius server would be used for all users, locally configured on F5 ?
sol12173: Overview of BIG-IP administrative access controls
https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.html2- When user is configure locally and same user is also on radius then what would be the preference?
password is checked against radius but user setting locally is used.
3- How I can assign different permissions to different users through radius.
sol14324: Using F5 vendor-specific attributes with RADIUS authentication (11.x)
https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html- ghost-rider_124Thanks Nitass. That helps. My few questions are: 1- I want admin user authentication should be done locally and rest of users should through radius. Is that doable? Because when I change (system -> users -> authentication -> Change Local to Radius Server) it will apply for all users right? 2- If user are on both local and radius and radius server is unreachable then user would be able to authenticate locally? 3- Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group. Appreciated your time and reply
- nitass_89166
I want admin user authentication should be done locally and rest of users should through radius. Is that doable?
If a remote authentication method is specified for system user accounts, the BIG-IP local database still authenticates the system maintenance accounts mentioned above. This ensures that if the remote authentication device is unreachable, the system maintenance accounts can still access the BIG-IP system.sol12173: Overview of BIG-IP administrative access controls
https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.htmlIf user are on both local and radius and radius server is unreachable then user would be able to authenticate locally?
no
Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group.
yes (radius server is used for authentication but local user setting is used for authorization).
- ghost-rider_124Thank you
- nitass
I want admin user authentication should be done locally and rest of users should through radius. Is that doable?
If a remote authentication method is specified for system user accounts, the BIG-IP local database still authenticates the system maintenance accounts mentioned above. This ensures that if the remote authentication device is unreachable, the system maintenance accounts can still access the BIG-IP system.sol12173: Overview of BIG-IP administrative access controls
https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.htmlIf user are on both local and radius and radius server is unreachable then user would be able to authenticate locally?
no
Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group.
yes (radius server is used for authentication but local user setting is used for authorization).
- ghost-rider_124Thank you