For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dirken's avatar
dirken
Icon for Nimbostratus rankNimbostratus
Jun 15, 2016

Howto change source adress for different radius requests to same radius server

I am using APM as reverse proxy for different access methods, e. g. OWA, SSL-VPN etc., always using the same Radius server (Cisco ISE). I want the Radius server to react differently to my auth requests, depending on if I want to authenticate for OWA or for SSL-VPN. Is there any possibility to - for example - change the sending source ip of the F5 so the Radius server can act upon it? Or maybe send some specific Radius attribute?

 

I thought the "nas ip" might do the trick, but this seems to be something completely different.

 

Cheers Dirk

 

application delivery
BIG-IP Access Policy Manager (APM)

10 Replies

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 15, 2016

    Hi,

     

    You can define multiple Radius Virtual Servers and add a different Source NAT for each VS. Then, you apply different a VS IPs to each Radius configuration.

     

    • dirken's avatar
      dirken
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Hi Yann, this is not a VS for a Radius but a AAA item in APM, to authenticate users accessing completely different ressources. So no VS, no such thing as a NAT pool. From the F5 point of view, this is self-initiated traffic.
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Jun 16, 2016
      Hi, As I told you, you can setup a Virtual Server and try to configure your AAA object with the IP address of the Virtual Server.
    • dirken's avatar
      dirken
      Icon for Nimbostratus rankNimbostratus
      Jun 30, 2016
      Hi, I tried, but it seems that addressing a virtual server from inside the AAA object does not work with route domains, which is my case. Found some hints in this direction on the web. Could solve the problem with a redesign of the Radius/RSA infrastructure, however. Cheers Dirk
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 15, 2016

    Hi,

     

    You can define multiple Radius Virtual Servers and add a different Source NAT for each VS. Then, you apply different a VS IPs to each Radius configuration.

     

    • dirken's avatar
      dirken
      Icon for Nimbostratus rankNimbostratus
      Jun 16, 2016
      Hi Yann, this is not a VS for a Radius but a AAA item in APM, to authenticate users accessing completely different ressources. So no VS, no such thing as a NAT pool. From the F5 point of view, this is self-initiated traffic.
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Jun 16, 2016
      Hi, As I told you, you can setup a Virtual Server and try to configure your AAA object with the IP address of the Virtual Server.
    • dirken's avatar
      dirken
      Icon for Nimbostratus rankNimbostratus
      Jun 30, 2016
      Hi, I tried, but it seems that addressing a virtual server from inside the AAA object does not work with route domains, which is my case. Found some hints in this direction on the web. Could solve the problem with a redesign of the Radius/RSA infrastructure, however. Cheers Dirk