Cisco ISE load-balancing and Change of Authorization (CoA)
First, let me clearly state that I do not have a Cisco background. I have no experience with the RADIUS protocol, and am not familiar with the details of the CoA, so I am not in a position to know if what I'm being asked to do is appropriate/necessary/makes sense or not. Our Cisco guys came to me asking for a RADIUS load-balancing VIP, with persistence based on CALLING-STATION-ID. I found https://devcentral.f5.com/questions/load-balance-cisco-ise-servers easily enough. So I created a wildcard UDP VIP with the iRule. But, they came back with an additional CoA requirement. They claim that the ISE servers periodically send "a CoA packet" to the clients of the RADIUS VIP. They want the LTM to intercept these packets, and SNAT it from the RADIUS VIP address. They claim that the clients of the RADIUS service will only accept CoA packets from the VIP address. Apart from the link above, the only good resource on the subject I can find is https://supportforums.cisco.com/blog/153056/ise-and-load-balancing. I get somewhat lost in the terminology, but this statement seems important: Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP. In the context of this document it sounds to me like the "PSN" is also the Pool Member of the RADIUS VIP, and that we should be adding the IP address of the Pool Member in some CoA field on the clients of the RADIUS VIP. But again not being familiar with RADIUS, I'm very uncertain. Apart from the question of whether or not I can SNAT from a VIP address at all (which I highly doubt), does anyone have some insight into how to account for these RADIUS/CoA packets in a load-balancing context?Radius Authentication role not working
Hi Guys, We setup authentication setup using this article: https://support.f5.com/csp/article/K14324#3 But when we logged in using the accounts on the radius, f5 sets the user as admin account even the account should be read only. Are we missing some configurat
RADIUS Access-Challenge Response Issue
Hi, I'm trying to configure the APM functionality on a BigIP running 13.1.02 to support the "Change PIN" request of the Swivel Secure PINsafe authentication; but I seem to be hitting a more fundamental issue with the BigIP's RADIUS Access-Challenge support. Normal RADIUS authentication against the Swivel authentication server is working fine. The user logs in; with their credentials submitted over HTTP to the F5 and from there via a RADIUS Access-Request to the Swivel server: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xf2 (242) Length: 103 Authenticator: f25**********************aa92 [The response to this request is in frame 3] Attribute Value Pairs AVP: t=User-Name(1) l=10 val=XXXXXXXXX AVP: t=User-Password(2) l=18 val=Decrypted: 3407 Type: 2 Length: 18 User-Password: 3407 AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XXX AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXX AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8) AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142 AVP: t=NAS-Port(5) l=6 val=0 If the user requires that their PIN be changed; the Swivel authentication server responds with a RADIUS Access-Challenge: RADIUS Protocol Code: Access-Challenge (11) Packet identifier: 0xf2 (242) Length: 31 Authenticator: f034de3****************586dd5 [This is a response to a request in frame 2] [Time from request: 0.021004000 seconds] Attribute Value Pairs AVP: t=Reply-Message(18) l=11 val=changepin Type: 18 Length: 11 Reply-Message: changepin The F5 successfully detects this Access-Challenge request and presents the user with a further login page containing the Reply-Message as the header (so "changepin" in this case); followed by a single input element (id of "input_1" and name of "_F5_challenge") into which the user can respond. With the user's response typed into the single input element and the new form submitted; I can see in the HTTP request from the web browser to the F5 the form variable of "_F5_challenge" correctly set to the value typed into the input element. Looks good so far... From the RADIUS RFC 2865: "If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any." I would therefore expect that the F5 would use value it received in _F5_challenge HTTP form parameter as the new User-Password value within theRADIUS Access-Request that responds to the Access-Challenge. This is not what I see – if I capture and decode this RADIUS Access-Request I can see that User-Password is the same value as from the original RADIUS Access-Request from the initial logon page: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xaa (170) Length: 105 Authenticator: aaf*********************3075 [The response to this request is in frame 5] Attribute Value Pairs AVP: t=User-Name(1) l=10 val=XXXXXXXXXX AVP: t=User-Password(2) l=18 val=Decrypted: 3407 Type: 2 Length: 18 User-Password: 3407 AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XX AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXXXX AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8) AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142 AVP: t=NAS-Port(5) l=6 val=0 AVP: t=State(24) l=2 val= Type: 24 Length: 2 State: <MISSING> Of course; the original password (PIN in this case) is not valid for the replacement PIN within the Swivel server and therefore the PIN change process fails. The fundamental issue seems to be that I'm unable to control the User-Password element of the F5's reply to the Access-Challenge based on that HTML input element. Any idea what could be wrong here? Many thanks aid
Admin Auth via NPS Radius
Hi Everyone, Am wating to implement radius auth of our BIG-IP administrators (GUI and SSH), radius is a supported auth method so we would like to use the Microsoft NPS services. Has anyone successfully implemented GUI / SSH authentication of BIG-IP Administrators via radius to Microsoft NPS? Would be great to hear of your learnings and any advice you can provide. TIA (currently running v16.1.3.1)
DUO Security Proxy servers in HA configuration
Has anyone setup HA for the DUO Proxy servers? I don't believe I can use the Radius iApp due to the specific port per DUO application(s)? I can successfully create a radius server with a "direct" server connection association to a single node (DUO Auth Proxy). However, I've been unsuccessful at setting up a HA configuration to include a second DUO Auth Proxy server. I've tried the following manual configurations (both failed): 1. Updated the "direct" server connection to point to a VIP (instead of a node) whereas the VIP was associated to a pool of DUO Auth Proxy servers. Failed (no response from server) 2. Created a new radius server referencing the pool of DUO Auth Proxy servers (not direct server connection). Essentially removing the VIP. Same error as above. *** The pool I used has Priority Grouping to prioritize its local site DUO Auth Proxy server unless its unavailable, then do to the other datacenter for DUO Auth Proxy. I have not setup a persistence profile due to the priority grouping. But, I will try that today. Hoping someone has tried setting up DUO Proxy HA and can provide any helpful insight. Thank you in advance. ~Jeff
Radius External Monitor (Python)
This'll be a long post so get a cup of coffee or whatever your poison of choice is. Sooooo, from all my digging around, Python based External Monitors are something that nobody talks about, has gotten right or maybe they just keep the solution to themselves or have realised the futility of python for advanced external monitors. I am unfortunately pretty stubborn when I am faced with an interesting challenge so like a dog with a bone persisted until I got everything working except the actual F5 monitoring part. Bear in mind I am no coder, I'm ok at python, I know F5's relatively well and this is my first external monitor that I have written. The shyte part is that there is, as far as I have seen, no information on using python for external monitors other than a couple of mentions here and there saying that it is possible. As many of you know F5's current Radius monitor will only mark a member up when it has a successful login against a user account and has no means of establishing a connection then simply testing for ANY valid radius response regardless of whether the account supplied is valid or not. This effectively shuts out the use of the F5 Radius monitor for Two Factor Auth systems where security is stringent enough to disallow the use of a single factor auth account with a fixed password for monitoring purposes. To try solve this I wrote up this python script that will establish a connection to a radius server regardless of the number of auth factors it requires, it will then fire off a bogus(or not) authentication attemmpt to the radius server. It's pretty crude, but as long as the connection doesn't time out there will be some sort of response from the radius server which will result in the script writing to stdout so that the F5 will mark the member as up. If there is a timeout the script's exit code is zero with no output so that the member will be marked as down. After importing the script it works like a charm when run from /config/filestore/files_d/Common_d/external_monitor_d/ with the various options. It happily handles the ::ffff: prefix to the IPv4 addresses as well as strips, for now, the routing domain tag in case it's appened to the address, but when it is executed as part of a monitor it fails. For the life of me I can't figure out why and nor have I figured out how to do a detailed debug of the script and what parameters are being handed to it at execution by the F5. So this is where you guys and gals come in and hopefully you can help. The issues I have are as follows: I don't know if I'm envoking the python shebang correctly for F5. Unable to debug the script and /var/log/monitors/Common_radius_monitor.log doesn't have anything relating to script runtime errors. Inspite of using a Syslog handler to try write to syslog-ng I'm unable to output to /var/log/ltm so there isn't anything useful in there (for now). This entire thing might be a complete non-starter if the F5 is super strict about code execution and is shutting out my use of the six and radius modules stored in /config/eav/, but without a run-time debug I can't tell what it's problem is. Unfortunately because of the length of the code and this description I've had to add my script via code share: External Radius Monitor using PythonUse debug on health monitor to retrieve lost radius secret
Hi Is it possible to use debug function on health monitors to retreive the radius secret? Found this old blogpost http://socpuppet.blogspot.com/2016/11/how-to-recover-lost-big-ip-f5-secret.html and followed the steps 1) Created a health monitor with a random username and password plus a random secret. Enabled debug 2) Edit the health monitor and entered the hashed secret from the radius setup 3) Added the health monitor to a pool and attached the pool to a new virtual server used to test 4) Check in /var/log but no debug log is created Is something missing or is it not possible to do this anymore? Best regards Daniel
APM - Centrify RADIUS Access-Challenge failure
Hi All, I have configured Centrify RADIUS under access->authentication and using it under APM for user authetication for MFA. I get "error: packet verification failed, most likely the shared secret is not correct" when i try to authenticate, i know it is not secret issue, as i could see Access-Challenge code reply by RADIUS with Attribute value pairs. On RADIUS, i have set to ask for security question and i do see AVP type 18 (Reply-Message), but i dont see F5 is presenting that on user login screen. I have opened case with F5, but we are not making any progress. I appreciate any suggestion to address this issue
