Forum Discussion
NimbostratusRadius authentication failing for MGMT
Hi,
I am trying to setup radius for F5 management appliance. However, the logs show " server failed to respond" I've setup radius profile through System ›› Users : Authentication
I am able to ping the radius server from f5 appliance and I can see the traffic on the firewall hitting the logs.
I have confirmed on the Radius server profile exists for the f5 appliance and the groups requiring access. Management interface existed.
The only thing, I have noticed that the F5 uses the selfip to communicate with radius and not the management ip address. The radius server profile is set to accept anything coming from the selfip.
Have I missed anything? Do i need anything under System ›› Users : Remote Role Groups?
Sep 8 08:53:54 AUNRE01-LBP02 err httpd[13309]: pam_radius_auth: RADIUS server 10.5.5.101 failed to respond
Stanislas_Piro2Cumulonimbus
Hi,
what bigip version are you using?
wlopezCirrocumulus
I'm guessing that you're probably using: the default partition(Common) and route domain(0), you have a default route configured on the network section of the BigIP, and you have a default route for the management port. If that's the case, and you want authentication traffic to originate from the management port. you need to add static routes on the management port. By default BigIP prefers the default route for the default route domain(0) over the default one in the management port for traffic originating from the device like NTP, snmp traps, authentication, etc. If you want the traffic to originate from the management port's IP address you must add the static routes through the CLI.
K13284: Overview of management interface routing (11.x - 12.x) https://support.f5.com/csp/article/K13284
K3669: Overview of management interface routing (9.x - 10.x) https://support.f5.com/csp/article/K3669
Hope this helps!
MCP200_297965Hi Guys, I am using BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1
wlopez i believe you're right on this. I see Partition Default Route Domain under the routing table with an ID of 0. Nothing in here routing to my NPS server.
I added the below route to point my NPS server out of the management interface, but not showing under "ip route show table main"
sys management-route NPS { gateway 10.24.18.1 network 10.29.22.104/32 } sys management-route default { description configured-statically gateway 10.24.18.1 mtu 1500 network default
config ip rule show
0: from all lookup local 245: from 10.24.18.11 lookup 245 32766: from all lookup main
- wlopez
Can you run the following command to list the routes on the management port?
From bash: tmsh list /sys management-route
or from tmsh: list /sys management-route
- MCP200_297965
Hi There,
After adding the management route. From the firewall i can seee traffic from management interface hitting nps server, but i still can't authenticate via radius.
Ive added all the config and made sure the nps profile client ip is management ip of the f5.
I will run the command you have asked me too.
wlopez_98779I'm guessing that you're probably using: the default partition(Common) and route domain(0), you have a default route configured on the network section of the BigIP, and you have a default route for the management port. If that's the case, and you want authentication traffic to originate from the management port. you need to add static routes on the management port. By default BigIP prefers the default route for the default route domain(0) over the default one in the management port for traffic originating from the device like NTP, snmp traps, authentication, etc. If you want the traffic to originate from the management port's IP address you must add the static routes through the CLI.
K13284: Overview of management interface routing (11.x - 12.x) https://support.f5.com/csp/article/K13284
K3669: Overview of management interface routing (9.x - 10.x) https://support.f5.com/csp/article/K3669
Hope this helps!
- MCP200_297965
Hi Guys, I am using BIG-IP 12.1.2 Build 1.0.271 Hotfix HF1
wlopez i believe you're right on this. I see Partition Default Route Domain under the routing table with an ID of 0. Nothing in here routing to my NPS server.
I added the below route to point my NPS server out of the management interface, but not showing under "ip route show table main"
sys management-route NPS { gateway 10.24.18.1 network 10.29.22.104/32 } sys management-route default { description configured-statically gateway 10.24.18.1 mtu 1500 network default
config ip rule show
0: from all lookup local 245: from 10.24.18.11 lookup 245 32766: from all lookup main
- wlopez_98779
Can you run the following command to list the routes on the management port?
From bash: tmsh list /sys management-route
or from tmsh: list /sys management-route
- MCP200_297965
Hi There,
After adding the management route. From the firewall i can seee traffic from management interface hitting nps server, but i still can't authenticate via radius.
Ive added all the config and made sure the nps profile client ip is management ip of the f5.
I will run the command you have asked me too.