Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Radius Authentication role not working


Hi Guys,

We setup authentication setup using this article:

But when we logged in using the accounts on the radius, f5 sets the user as admin account even the account should be read only. Are we missing some configurat



Navigate to Wireless > Configure > Access control and select the desired SSID from the dropdown menu.
Under RADIUS accounting, select RADIUS accounting is enabled.



Hmm why wireless? 

I could be wrong but go to your radius config settings.

And click the drop down from basic to advanced, I think there is a catch all there to say which level to go to.

Also check your not on Auth only I can't remember if that's the same drop down.

But that will only give you a yes/no not a access level back under the request.

Message me back and I can send you scene shots of what to look for if needed.

Hi i am not sure if i found what you saying (see image) but if yes how can i make it work?


Yes, that's part of it. - that sets how the radius part is handled.
But annoyingly what is the config under the drop down as well?
So External User > Role,

So in auth only, a good radius responce will log the user in at the level of External User > Role is set to.
Also do you have "Failback to local set" and are the users in radius and locally as well with the same user name???? This might be over riding things.


Hi here (attached) as for the service type, what should i select?

I remove the enable Fallback to local but still the same, i set the authentication type to Authenticate only

So that "Administrator" setting is what's over riding everything and setting everything everyone to Admin.

Personally i set that to No Access, Then you MUST have a access right set to gain access.

The other thing to then doi is change the service type from "Authenticate Only" to something suitable for your use case. I must admit i found info on those settings a bit weak.
But i used default and everything burst into life on my side.
What that will do, is then tell the IF to look at the other parameters rather than just authentication and allowing the users in at the default level which is set by "External Users > Roles"
Hope that helps.

Also what groups have you setup? And have you got the same config on your radius server side?

i set it to no access, and icant login anymore on that read only account, i am trying to check with my colleague who handles the radius part

Ok setting it to no access will stop everything,
If you set it to Guest you'll get the equivlant read only access. 
But the other setting on "Service Type" being set to auth only you'll only get that account level set under  "External User > Role" when you log in.
It won't even consider the roles you hopefully have configured under "Remote Rile Groups" could you send that as well?
The attriubutes that, that calls out are important and need to be linked to what the radius server sends.

Hi yes, when i set it to guest, it does really makes the account as guest.

we follow this article:

You can see the remote group we created (attached)

Ok, So what i think is happening is the following.
When the radius reponce returns "F5-LTM-User-Info-1=mgmt" 
It then takes the parameters "%F5-LTM-User-Role" "%F5-LTM-User-Partition" & "%F5-LTM-User-Shell" which have also been sent by the radius server and then fills in the variables as expected.
So in the KB's example all of the config is set inside the radius server. (the kb is showing freerasdius as an example)

Below is my config or a part of it, i just look for F5-LTM-User-Info-1=adm as a Attribute String coming back and i set all of the important variable to me inside the f5 config. I feel that's personally more secure.

But what i think you need to look at now is what is coming back in from your radius server, are the variables coming back in? Maybe even break it back to my example below and show you can change adm to something else like say Guest and change the Assigned Role to Guest and prove that user gets guest for example?


 Maybe the group list will be useful as well?


 Have you followed the radius tests on the radius server as per the kb?