Forum Discussion

jg-natsys_15996's avatar
jg-natsys_15996
Icon for Nimbostratus rankNimbostratus
Jun 05, 2014

How to add F5 vendor specific Radius attirbutes to Windows 2008 NPS to authorize external users to different roles

I am running bigip 11.4.1 on a 3900 that is licensed for LTM and ASM with client authentication. I am able to configure user authentication to a Windows NPS radius server and have all external users all get authenticated to the windows radius and authorized to the same default external user role. (This is purely for user login access to the BIG-IP managment interface via a browser).

 

I would now like to create four new Windows user groups: F5-Admin, F5-resource-admin, F5-operator, F5-guest. The goal is to have the Windows NPS radius server return the F5 vendor specific attribute "F5-LTM-User-Role" with the appropriate values for the four roles I need.

 

I have the document: "http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html". It is not clear to me how to add the role attributes to windows 2008 NPS such that the new role attribute will be returned to the F5 after successful authentication. It is also not clear how to configure the F5 to then take the returned role attribute for the user and over-ride (ignore) the default external role setting.

 

thank you for your help.

 

    • viziony's avatar
      viziony
      Icon for Cirrus rankCirrus

      This helped me out especialliy with the screen shots in my configuration with the F5 BIGIP and a 2016 Windows NPS server. Thanks.

  • Nate_7016's avatar
    Nate_7016
    Historic F5 Account

    I was just playing with this and I know this question is really old but I wanted to put an answer here anyway.

     

    I'm in Windows Server 2012 R2, I configured NPS

     

    Policies>>Network Policies (right click on this) New Give it a policy name Assign the user group to it that will have these permissions

     

    Now the fun part. Under "RADIUS Attributes" it says "Standard" or "Vendor Specific" Select "Vendor Specific" and "Add" Vendor Drop down is "Custom", Attributes is "Vendor-Specific" click "Add"

     

    Now you want to Add a vendor specific attribute, this will apply to this whole group.

     

    Click Enter Vendor Code and give it code of 3375 Check "Yes. It conforms" Click "Configure attribute"

     

    The attribute number will be whatever attribute in this list that you want to set: ATTRIBUTE F5-LTM-User-Role 1 integer ATTRIBUTE F5-LTM-User-Role-Universal 2 integer enable/disable ATTRIBUTE F5-LTM-User-Partition 3 string ATTRIBUTE F5-LTM-User-Console 4 integer enable/disable ATTRIBUTE F5-LTM-User-Shell 5 string supported values are disable, tmsh and bpsh ATTRIBUTE F5-LTM-User-Context-1 10 integer ATTRIBUTE F5-LTM-User-Context-2 11 integer ATTRIBUTE F5-LTM-User-Info-1 12 string ATTRIBUTE F5-LTM-User-Info-2 13 string ATTRIBUTE F5-LTM-Audit-Msg 14 string

     

    So for example if I wanted to configure F5-LTM-User-Role I would set the Vendor-assigned attribute number to 1

     

    Attribute format is decimal (noted as integer above) Attribute value depends on what role I want in this case (reference the SOL for various options). In this use case I put in 700 because I wanted Guest access.

     

    Click "ok" (twice) Now our user group has a role of 700(guest) configured.

     

    Now click add again (same code, yes conforms), if I want to set partition then my value is 3 and my attribute type is a string with a value of the partition name (e.g. Common)

     

    • Bart_18836's avatar
      Bart_18836
      Icon for Nimbostratus rankNimbostratus

      This does not work. I am running Windows Server 2008 RC2 and I always get logged in as Administrator , no matter what I set in the attributes.

       

    • Bart_18836's avatar
      Bart_18836
      Icon for Nimbostratus rankNimbostratus

      Small remark , you need to configure all required attributes, Role , Info , Partition , Shell to ,make this work , if your attribute list does not match exact f5 attribute list in the remote role section in result users will get adminitrator role assigned.