I am running bigip 11.4.1 on a 3900 that is licensed for LTM and ASM with client authentication. I am able to configure user authentication to a Windows NPS radius server and have all external users all get authenticated to the windows radius and authorized to the same default external user role. (This is purely for user login access to the BIG-IP managment interface via a browser).
I would now like to create four new Windows user groups: F5-Admin, F5-resource-admin, F5-operator, F5-guest. The goal is to have the Windows NPS radius server return the F5 vendor specific attribute "F5-LTM-User-Role" with the appropriate values for the four roles I need.
I have the document: "http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html". It is not clear to me how to add the role attributes to windows 2008 NPS such that the new role attribute will be returned to the F5 after successful authentication. It is also not clear how to configure the F5 to then take the returned role attribute for the user and over-ride (ignore) the default external role setting.
thank you for your help.
I was just playing with this and I know this question is really old but I wanted to put an answer here anyway.
I'm in Windows Server 2012 R2, I configured NPS
Policies>>Network Policies (right click on this) New Give it a policy name Assign the user group to it that will have these permissions
Now the fun part. Under "RADIUS Attributes" it says "Standard" or "Vendor Specific" Select "Vendor Specific" and "Add" Vendor Drop down is "Custom", Attributes is "Vendor-Specific" click "Add"
Now you want to Add a vendor specific attribute, this will apply to this whole group.
Click Enter Vendor Code and give it code of 3375 Check "Yes. It conforms" Click "Configure attribute"
The attribute number will be whatever attribute in this list that you want to set: ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer enable/disable ATTRIBUTE F5-LTM-User-Partition 3 string ATTRIBUTE F5-LTM-User-Console 4 integer enable/disable ATTRIBUTE F5-LTM-User-Shell 5 string supported values are disable, tmsh and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string ATTRIBUTE F5-LTM-Audit-Msg 14 string
So for example if I wanted to configure F5-LTM-User-Role I would set the Vendor-assigned attribute number to 1
Attribute format is decimal (noted as integer above) Attribute value depends on what role I want in this case (reference the SOL for various options). In this use case I put in 700 because I wanted Guest access.
Click "ok" (twice) Now our user group has a role of 700(guest) configured.
Now click add again (same code, yes conforms), if I want to set partition then my value is 3 and my attribute type is a string with a value of the partition name (e.g. Common)
Small remark , you need to configure all required attributes, Role , Info , Partition , Shell to ,make this work , if your attribute list does not match exact f5 attribute list in the remote role section in result users will get adminitrator role assigned.