authenticate

2 Topics

F5OS Tenant Radius Issues
Hello All, Finished deploying new R-Series equipment to replace some i-Series. Working through some issues that I hope there is an easier solution for in regards to radius authentication on tenants/guests running on my new appliances. I cannot seem to get the tenants running on my r-series appliances to use the Mgmt IP address for radius authentication. They seem to want to use a self-ip that is within the network on the gateway for the default routing domain. For additional information the configuration on the i-series were ported over via UCS files to my r-series tenants. They're near identical besides new MGMT ips. Quick breakdown of what works for Radius R-Series Appliance (F5OS) - MGMT 1.1.1.1 <---Radius auth works using MGMT IP - Makes sense, no virtual routers - BIG-IP Tenant - MGMT 1.1.1.2 <-----Radius fails (Uses self-ip 10.10.10.10) - BIG-IP Tenant - MGMT 1.1.1.3 <-----Radius fails (Uses self-ip 23.23.23.23) - BIG-IP Tenant - MGMT 1.1.1.4 <-----Radius fails (Uses self-ip 5.5.5.5) The self IPs are all on different networks that serve different purposes on different security zones on my firewall. The solution as it stands now is allow the specific reporting self-ips to reach my radius server. I'd rather not do that if I can find a way to force to tenants to use their mgmt IP.
Solved
pwilson33
Sep 16, 2025 Place Technical Forum
23Views
0likes
2Comments
NTLM Authenticated Proxy External Monitor
Problem this snippet solves: NTLM Authenticated Proxy External Monitor How to use this snippet: This monitor is used to monitor the availability of a web page through a NTLM authenticated proxy. The default HTTP monitor relies on receiving a 401 Authenticate message to trigger the NTLM handshake, proxies respond with a 407 Proxy Authenticate message instead, which causes the monitor to fail. Set the following variable: URI-The requested host/page to send the request to. (e.g. www.host.com/page1 or https://www.host.com/page.html) USER-Proxy Username PASS-Proxy Password RECV-Receive String to look for Code : #!/bin/sh # #Name:external_monitor_NTLM_Proxyauth #Author:Matt Elkington #Contact:melkington@integrity360.com #Date:23/01/2017 #Description:An external monitor to allow monitoring of a host through a NTLM Authenticated proxy #This is to work around the fact that the standard http monitor will only use NTLM if #it receives a 401 Authenticate message and ignores a 407 Proxy Authenticate message # #Change Log #VersionChangeDate #1.0Initial Monitor23/01/2017 # # #Port and IP address are supplied automatically a variables $1 and $2 byt the LTM: #$1 = IP (nnn.nnn.nnn.nnn notation) #$2 = port (decimal, host byte order) # #The following variables must be set in the monitor definitation: # #URI-The requested host/page to send the request to. (e.g. www.host.com/page1 or https://www.host.com/page.html) #USER-Proxy Username #PASS-Proxy Password #RECV-Receive String to look for # # remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE=`echo ${1} | sed 's/::ffff://'` PORT=${2} PIDFILE="/var/run/`basename ${0}`.${NODE}_${PORT}.pid" # kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${IP}:${PORT}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi echo "$$" > $PIDFILE # send request & check for expected response curl ${URI} --proxy ${NODE}:${PORT} -U ${USER}:${PASS} --proxy-ntlm -k | grep -i "${RECV}" 2>&1 > /dev/null # mark node UP if expected response was received if [ $? -eq 0 ] then # Remove the PID file rm -f $PIDFILE echo "UP" else # Remove the PID file rm -f $PIDFILE fi exit Tested this on version: 11.6
PinkieCom
Jan 23, 2017 Place CodeShare
741Views
0likes
0Comments