Friday, July 11, 2008

BIG-IP RADIUS Login Authentication Checklist

Our network BIG-IP suddenly had login problems after a firmware upgrade. I'd confirm at a later date (i.e., after upgrade of another F5 BIG-IP) if an upgrade indeed causes a authentication problems. The good thing is that the local root password was not affected. Anyway, here are some points to consider when troubleshooting remote RADIUS login authentication on BIG-IP via CLI (and some UNIX/Linux servers).

REQUIRED INFORMATION:
- RADIUS server IP address(es)
- RADIUS server port (default is TCP 1812)
- RADIUS server secret key


BIG-IPv4 Checklist:
  • RADIUS server IP address and TCP port is configured in /etc/login.conf.

      radius-defaults:auth=radius,bploc,passwd:\
         :radius-server=10.10.10.10:\
         :radius-port=1812:\
         :radius-server-alt=10.10.20.10:\
         :radius-port-alt=1812:


  • RADIUS server IP address and secret key is configured in /etc/raddb/servers.

      MyBIGIP:~# cat /etc/raddb/servers
      10.10.10.10 myKey123
      10.10.20.10 myKey123
      MyBIGIP:~#


BIG-IPv9 Checklist:
  • RADIUS server IP address, port, and secret key are in /etc/raddb/server.

      MyBIGIPv9:~# cat /etc/raddb/server
      10.10.10.10:1812 myKey123 3
      10.10.20.10:1812 myKey123 3
      MyBIGIPv9:~#


  • RADIUS server IP address and secret key are defined in the /config/bigip.conf under the radius server sections.

    radius server system_auth_name1 {
       server "10.10.10.10"
       secret "myKey123"
    }
    radius server system_auth_name2 {
       server "10.10.20.10"
       secret "myKey123"
    }
    auth radius system-auth {
       server system_auth_name1 system_auth_name2
    }


    You can opt to modify this file via the GUI, in System > Users > Authentication.


No comments: