Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

F5 BigIP v.15 integration with Windows 2016 NPS

Go to solution
viziony
Cirrus
Cirrus

‎18-Oct-2023 14:19

I am trying to sort out the F5 attributes within a Windows 2016 NPS server. I have the Azure MFA prompts working however due to unset attributes within NPS my admin AD user is not permitted to login into the F5 ADMIN page. 

Need better understanding on how to configure vendor specific attributes to allow users in as ADMIN, Operator, READONLY. Currently I have a condition set to an AD sec. group within the network policy which we have used in the past with the LDAP connector. 

Tried the F5 KB articles but cannot make sense of how this would be configured on the Windows NPS server side. Thank you. 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
viziony
Cirrus
Cirrus

‎20-Oct-2023 11:12

I was able to get this to finally work using a combination of articles here :

https://my.f5.com/manage/s/article/K14324

https://community.f5.com/t5/technical-forum/how-to-add-f5-vendor-specific-radius-attirbutes-to-windo...

You want your Windows NPS server to return the attribute value of 0 (0=admin or whatever # using the F5 VSA article) to F5 BIGIP to let that user in. 

Here are some screen shots of the network policy. 

You want to define the vendor code to 3375 (F5)

You want to set the vendor-assigned attribute number to 1 which the F5 line for the user role (that can be found in that f5 article) : 

ATTRIBUTE F5-LTM-User-Role 1 integer

You want that vendor-assigned attribute number of 1 to pass the DECIMAL value of 0 which is the admin level to the load balancer. 

 

Screenshot 2023-10-20 at 2.06.54 PM.png

Screenshot 2023-10-20 at 2.07.00 PM.png

 

View solution in original post

3 REPLIES 3

Go to solution
Leslie_Hubertus
Community Manager
Community Manager

‎19-Oct-2023 12:30

@viziony - the article How I did It - “Integrating Azure MFA with the BIG-IP” might help, and if not the author may be able to help

Go to solution
viziony
Cirrus
Cirrus

‎20-Oct-2023 11:12

I was able to get this to finally work using a combination of articles here :

https://my.f5.com/manage/s/article/K14324

https://community.f5.com/t5/technical-forum/how-to-add-f5-vendor-specific-radius-attirbutes-to-windo...

You want your Windows NPS server to return the attribute value of 0 (0=admin or whatever # using the F5 VSA article) to F5 BIGIP to let that user in. 

Here are some screen shots of the network policy. 

You want to define the vendor code to 3375 (F5)

You want to set the vendor-assigned attribute number to 1 which the F5 line for the user role (that can be found in that f5 article) : 

ATTRIBUTE F5-LTM-User-Role 1 integer

You want that vendor-assigned attribute number of 1 to pass the DECIMAL value of 0 which is the admin level to the load balancer. 

 

Screenshot 2023-10-20 at 2.06.54 PM.png

Screenshot 2023-10-20 at 2.07.00 PM.png

 

Go to solution
Leslie_Hubertus
Community Manager
Community Manager
In response to viziony

‎20-Oct-2023 11:35

Thanks for sharing your solution so future users can see what to do!

0 Kudos
Copyright © 2023 Khoros, LLC