APM Domain/Username for RADUIS Auth
Hello community, could you help me with the following?. I've a simple per session AD Authentication policy -> working fine 2nd. I've a per-request-policy for specific paths which are secured with a 2FA Radius auth -> working also fine For user simplicity I would take over the username (domain\username) from per session AD Logon Page to per-request Logon Page. This only works in part :-/ At the moment I can pre-fill the username via session variable "session.logon.last.logonname" in the Logon Page. Username in Logon Page set to "Ready Only" After generating an OTP the APM log is showing the following error: "RADIUS Agent: Failed to read Username Source session variable:" Obviously, the variable is empty, despite pre-filling. I experimented a little with Variable Assign (implemented after Logon Page) but nothing changed. -> "RADIUS Agent: Failed to read Username Source session variable:" session.logon.last.username = expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" } or session.logon.last.logonname = expr { "[mcget {session.logon.last.domain}]\\[mcget {session.logon.last.username}]" } Everything is working fine with a manual input of the domain\username in the Logo Page. Does someone have an idea to solve the issue/problem? Thanks a lot.
Freeradius auth for LTM V11.5.1
Guys am running out of inspiration here and hoping you may be able to help. I have set up a FreeRadius server which is successfully authenticating Linux systems and Cisco devices. I have added the config for F5 to the radius server and verified it's triggering correctly for my test user. e.g. (radiusd log extract) Mon Feb 22 14:39:35 2016 : Debug: rlm_perl: Added pair Auth-Type = PAP Mon Feb 22 14:39:35 2016 : Info: ++[perl] = ok Mon Feb 22 14:39:35 2016 : Info: +} group post-auth = ok Sending Access-Accept of id 161 to 192.168.1.90 port 27260 Cisco-AVPair = "shell:priv-lvl=15" F5-LTM-User-Shell = "tmsh" F5-LTM-User-Info-1 = "F5-admin" F5-LTM-User-Role = Administrator F5-LTM-User-Partition = "Common" Mon Feb 22 14:39:35 2016 : Info: Finished request 25. I've then followed the recipe at https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html and believe I have things set right. tmsh sows this when list the auth section: auth radius system-auth { servers { system_auth_name1 } } auth radius-server system_auth_name1 { secret $M$q5$0UFrYg9zh5kLp7xkZOb2vZpgAPggyDPoWmjeIgF5F1I= server 192.168.1.56 } auth remote-role { role-info { F5-admin { attribute F5-LTM-User-Info-1=F5-admin console %F5-LTM-User-Shell line-order 1001 role %F5-LTM-User-Role user-partition %F5-LTM-User-Partition } } } Trying to log in as my test user sadly yields no good outcome, in spite of the the log from the radius server showing it sending an Access-Accept packet with the relevant F5 attributes included. So I guess my question is if there is log file I've been unable to find on the LTM itself which might let me know what I'm doing wrong. This or any other thoughts would be greatly appreciated. Enno.Admin Auth via NPS Radius
Hi Everyone, Am wating to implement radius auth of our BIG-IP administrators (GUI and SSH), radius is a supported auth method so we would like to use the Microsoft NPS services. Has anyone successfully implemented GUI / SSH authentication of BIG-IP Administrators via radius to Microsoft NPS? Would be great to hear of your learnings and any advice you can provide. TIA (currently running v16.1.3.1)
Radius Authentication role not working
Hi Guys, We setup authentication setup using this article: https://support.f5.com/csp/article/K14324#3 But when we logged in using the accounts on the radius, f5 sets the user as admin account even the account should be read only. Are we missing some configuratUse debug on health monitor to retrieve lost radius secret
Hi Is it possible to use debug function on health monitors to retreive the radius secret? Found this old blogpost http://socpuppet.blogspot.com/2016/11/how-to-recover-lost-big-ip-f5-secret.html and followed the steps 1) Created a health monitor with a random username and password plus a random secret. Enabled debug 2) Edit the health monitor and entered the hashed secret from the radius setup 3) Added the health monitor to a pool and attached the pool to a new virtual server used to test 4) Check in /var/log but no debug log is created Is something missing or is it not possible to do this anymore? Best regards DanielRADIUS Virtual Server, VIP return 'port unreachable'
Simple configuration on the F5 LTM with a UDP Virtual Server listening on all ports. For one particular client, VS is returning ICMP Destination Unreachable (port unreachable) to the client. The request came on UDP 1812. Any help in understanding what could be wrong?
Need help to configure F5 Authentication using Windows 2012 Radius server
Hi All, I need help to configure F5 Authentication using Windows 2012 Radius server. I need to configure two user(Admin,guest) roles for different AD user groups. Please provide any documentation or videos for configuring this on my office network.DUO Security Proxy servers in HA configuration
Has anyone setup HA for the DUO Proxy servers? I don't believe I can use the Radius iApp due to the specific port per DUO application(s)? I can successfully create a radius server with a "direct" server connection association to a single node (DUO Auth Proxy). However, I've been unsuccessful at setting up a HA configuration to include a second DUO Auth Proxy server. I've tried the following manual configurations (both failed): 1. Updated the "direct" server connection to point to a VIP (instead of a node) whereas the VIP was associated to a pool of DUO Auth Proxy servers. Failed (no response from server) 2. Created a new radius server referencing the pool of DUO Auth Proxy servers (not direct server connection). Essentially removing the VIP. Same error as above. *** The pool I used has Priority Grouping to prioritize its local site DUO Auth Proxy server unless its unavailable, then do to the other datacenter for DUO Auth Proxy. I have not setup a persistence profile due to the priority grouping. But, I will try that today. Hoping someone has tried setting up DUO Proxy HA and can provide any helpful insight. Thank you in advance. ~Jeff
RADIUS Access-Challenge Response Issue
Hi, I'm trying to configure the APM functionality on a BigIP running 13.1.02 to support the "Change PIN" request of the Swivel Secure PINsafe authentication; but I seem to be hitting a more fundamental issue with the BigIP's RADIUS Access-Challenge support. Normal RADIUS authentication against the Swivel authentication server is working fine. The user logs in; with their credentials submitted over HTTP to the F5 and from there via a RADIUS Access-Request to the Swivel server: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xf2 (242) Length: 103 Authenticator: f25**********************aa92 [The response to this request is in frame 3] Attribute Value Pairs AVP: t=User-Name(1) l=10 val=XXXXXXXXX AVP: t=User-Password(2) l=18 val=Decrypted: 3407 Type: 2 Length: 18 User-Password: 3407 AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XXX AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXX AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8) AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142 AVP: t=NAS-Port(5) l=6 val=0 If the user requires that their PIN be changed; the Swivel authentication server responds with a RADIUS Access-Challenge: RADIUS Protocol Code: Access-Challenge (11) Packet identifier: 0xf2 (242) Length: 31 Authenticator: f034de3****************586dd5 [This is a response to a request in frame 2] [Time from request: 0.021004000 seconds] Attribute Value Pairs AVP: t=Reply-Message(18) l=11 val=changepin Type: 18 Length: 11 Reply-Message: changepin The F5 successfully detects this Access-Challenge request and presents the user with a further login page containing the Reply-Message as the header (so "changepin" in this case); followed by a single input element (id of "input_1" and name of "_F5_challenge") into which the user can respond. With the user's response typed into the single input element and the new form submitted; I can see in the HTTP request from the web browser to the F5 the form variable of "_F5_challenge" correctly set to the value typed into the input element. Looks good so far... From the RADIUS RFC 2865: "If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re-submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any." I would therefore expect that the F5 would use value it received in _F5_challenge HTTP form parameter as the new User-Password value within the RADIUS Access-Request that responds to the Access-Challenge. This is not what I see – if I capture and decode this RADIUS Access-Request I can see that User-Password is the same value as from the original RADIUS Access-Request from the initial logon page: RADIUS Protocol Code: Access-Request (1) Packet identifier: 0xaa (170) Length: 105 Authenticator: aaf*********************3075 [The response to this request is in frame 5] Attribute Value Pairs AVP: t=User-Name(1) l=10 val=XXXXXXXXXX AVP: t=User-Password(2) l=18 val=Decrypted: 3407 Type: 2 Length: 18 User-Password: 3407 AVP: t=NAS-IP-Address(4) l=6 val=10.XXX.XXX.XX AVP: t=NAS-Identifier(32) l=21 val=XXXXXXXXXXXXXXX AVP: t=Service-Type(6) l=6 val=Authenticate-Only(8) AVP: t=Tunnel-Client-Endpoint(66) l=16 val=192.168.86.142 AVP: t=NAS-Port(5) l=6 val=0 AVP: t=State(24) l=2 val= Type: 24 Length: 2 State: <MISSING> Of course; the original password (PIN in this case) is not valid for the replacement PIN within the Swivel server and therefore the PIN change process fails. The fundamental issue seems to be that I'm unable to control the User-Password element of the F5's reply to the Access-Challenge based on that HTML input element. Any idea what could be wrong here? Many thanks aid
