For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Dec 21, 2014
Solved

F5 Radius Authentication for admins

Hello Experts   I need to configure radius authentication for admin users on F5 LTM. The questions are:   1- When I configure radius server (system -> users -> authentication -> Change Local to...
application delivery
BIG-IP Access Policy Manager (APM)
deployment
LTM
security
  • nitass_89166's avatar
    nitass_89166
    Dec 22, 2014

    I want admin user authentication should be done locally and rest of users should through radius. Is that doable?

    If a remote authentication method is specified for system user accounts, the BIG-IP local database still authenticates the system maintenance accounts mentioned above. This ensures that if the remote authentication device is unreachable, the system maintenance accounts can still access the BIG-IP system.

    sol12173: Overview of BIG-IP administrative access controls

    https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.html

    If user are on both local and radius and radius server is unreachable then user would be able to authenticate locally?

    no

    Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group.

    yes (radius server is used for authentication but local user setting is used for authorization).

nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Dec 21, 2014

1- When I configure radius server (system -> users -> authentication -> Change Local to Radius Server) then this radius server would be used for all users, locally configured on F5 ?

 

sol12173: Overview of BIG-IP administrative access controls

 

https://support.f5.com/kb/en-us/solutions/public/12000/100/sol12173.html

 

2- When user is configure locally and same user is also on radius then what would be the preference?

 

password is checked against radius but user setting locally is used.

 

3- How I can assign different permissions to different users through radius.

 

sol14324: Using F5 vendor-specific attributes with RADIUS authentication (11.x)

 

https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html

 

  • ghost-rider_124's avatar
    ghost-rider_124
    Icon for Nimbostratus rankNimbostratus
    Dec 22, 2014
    Thanks Nitass. That helps. My few questions are: 1- I want admin user authentication should be done locally and rest of users should through radius. Is that doable? Because when I change (system -> users -> authentication -> Change Local to Radius Server) it will apply for all users right? 2- If user are on both local and radius and radius server is unreachable then user would be able to authenticate locally? 3- Also for permissions, can I use local user role? I mean radius is used only for authentication and for permissions local role group. Appreciated your time and reply