We setup authentication setup using this article:
But when we logged in using the accounts on the radius, f5 sets the user as admin account even the account should be read only. Are we missing some configurat
I could be wrong but go to your radius config settings.
And click the drop down from basic to advanced, I think there is a catch all there to say which level to go to.
Also check your not on Auth only I can't remember if that's the same drop down.
But that will only give you a yes/no not a access level back under the request.
Message me back and I can send you scene shots of what to look for if needed.
Yes, that's part of it. - that sets how the radius part is handled.
But annoyingly what is the config under the drop down as well?
So External User > Role,
So in auth only, a good radius responce will log the user in at the level of External User > Role is set to.
Also do you have "Failback to local set" and are the users in radius and locally as well with the same user name???? This might be over riding things.
So that "Administrator" setting is what's over riding everything and setting everything everyone to Admin.
Personally i set that to No Access, Then you MUST have a access right set to gain access.
The other thing to then doi is change the service type from "Authenticate Only" to something suitable for your use case. I must admit i found info on those settings a bit weak.
But i used default and everything burst into life on my side.
What that will do, is then tell the IF to look at the other parameters rather than just authentication and allowing the users in at the default level which is set by "External Users > Roles"
Hope that helps.
Ok setting it to no access will stop everything,
If you set it to Guest you'll get the equivlant read only access.
But the other setting on "Service Type" being set to auth only you'll only get that account level set under "External User > Role" when you log in.
It won't even consider the roles you hopefully have configured under "Remote Rile Groups" could you send that as well?
The attriubutes that, that calls out are important and need to be linked to what the radius server sends.
Ok, So what i think is happening is the following.
When the radius reponce returns "F5-LTM-User-Info-1=mgmt"
It then takes the parameters "%F5-LTM-User-Role" "%F5-LTM-User-Partition" & "%F5-LTM-User-Shell" which have also been sent by the radius server and then fills in the variables as expected.
So in the KB's example all of the config is set inside the radius server. (the kb is showing freerasdius as an example)
Below is my config or a part of it, i just look for F5-LTM-User-Info-1=adm as a Attribute String coming back and i set all of the important variable to me inside the f5 config. I feel that's personally more secure.
But what i think you need to look at now is what is coming back in from your radius server, are the variables coming back in? Maybe even break it back to my example below and show you can change adm to something else like say Guest and change the Assigned Role to Guest and prove that user gets guest for example?
Maybe the group list will be useful as well?
Have you followed the radius tests on the radius server as per the kb?