Forum Discussion
frednurk_225332
Nimbostratus
NimbostratusFreeradius auth for LTM V11.5.1
Guys am running out of inspiration here and hoping you may be able to help. I have set up a FreeRadius server which is successfully authenticating Linux systems and Cisco devices.
I have added the config for F5 to the radius server and verified it's triggering correctly for my test user. e.g. (radiusd log extract)
Mon Feb 22 14:39:35 2016 : Debug: rlm_perl: Added pair Auth-Type = PAP
Mon Feb 22 14:39:35 2016 : Info: ++[perl] = ok
Mon Feb 22 14:39:35 2016 : Info: +} group post-auth = ok
Sending Access-Accept of id 161 to 192.168.1.90 port 27260
Cisco-AVPair = "shell:priv-lvl=15"
F5-LTM-User-Shell = "tmsh"
F5-LTM-User-Info-1 = "F5-admin"
F5-LTM-User-Role = Administrator
F5-LTM-User-Partition = "Common"
Mon Feb 22 14:39:35 2016 : Info: Finished request 25.
I've then followed the recipe at https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html and believe I have things set right. tmsh sows this when list the auth section:
auth radius system-auth {
servers {
system_auth_name1
}
}
auth radius-server system_auth_name1 {
secret $M$q5$0UFrYg9zh5kLp7xkZOb2vZpgAPggyDPoWmjeIgF5F1I=
server 192.168.1.56
}
auth remote-role {
role-info {
F5-admin {
attribute F5-LTM-User-Info-1=F5-admin
console %F5-LTM-User-Shell
line-order 1001
role %F5-LTM-User-Role
user-partition %F5-LTM-User-Partition
}
}
}
Trying to log in as my test user sadly yields no good outcome, in spite of the the log from the radius server showing it sending an Access-Accept packet with the relevant F5 attributes included.
So I guess my question is if there is log file I've been unable to find on the LTM itself which might let me know what I'm doing wrong.
This or any other thoughts would be greatly appreciated.
Enno.
frednurk_225332Well I think I know what's going on. The full answer appears to be that much of the Radius functionality in the BIG-IP is mediated by the APM add-on module. Absent this module, a minimal form of Radius only is supported.
In the minimal form, the account you want to log in to must already exist as a local account on the system, including most of the things mediated by the 'extra' F5-LTM-* attributes in the radius response. The LTM then checks against Radius for the password credential only, essentially overriding what is in the local configuration. This extends to log ins in the Advanced shell which report "-- ERROR -- The user enno is currently authenticated from a remote source. Please change the password at the remote authentication server." if you try to use the POSIX 'passwd' command from the command line. That's obviously a good thing as it will serve to reduce confusion around where you are changing your password and potentially why changes did or didn't take effect.
If APM is indeed the name of my pain, I suspect the https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html page should be updated to indicate that APM is a pre-requisite. Currently it's silent on that topic.