First, I want to clarify that I am not talking about load balancing radius authentications. This post is strictly for setting up a load balancer to use radius for authenticating users who wish to gain access to the device via SSH (port 22) and HTTPS (port 443).
First, if you are primarily using the GUI, this document won't help ya. When making changes via GUI inline with command line updates, problems occur. Configuration settings may not successfully load (sometimes). Kind of a weird issue. F5 support even suggests avoiding this.
I am assuming that the load balancer already has access to the remote server that will provide authentication. Meaning, the interfaces and routes are configured correctly (as well as the RADIUS server itself).
So, with that said, here's what ya need to setup radius authentication. You can either edit the bigip.conf file directly, or simply use the bigpipe command for steps 1 and 2. For those of you who are wondering, the 'b' command is short for bigpipe. if you enter bigpipe by itself in command line, you'll get a list of all commands available.
STEP 1 - add the radius server:
[root@bigip:Active] config # b radius server system_auth_name1 { server "192.168.1.1" service 1645 secret "password1234" }
STEP 2 - configure the load balancer to use radius for authentication:
[root@bigip:Active] config # b auth radius system-auth { server system_auth_name1 }
STEP 3 - enable the remote access key in the DB:
[root@bigip:Active] config # b db Users.RemoteConsoleAccess enable
STEP 4 - copy and edit the file /config/bigip/auth/userroles:
[root@bigip:Active] config # cp userroles userroles.back
[root@bigip:Active] config # vi userroles
make sure this value is set to 1
> remoteconsoleaccess 1
*** I know what you are thinking... the file says something about not editing. I'm not sure, but I think it gets updated from the GUI.
STEP 5 - save your changes and reload the config:
[root@bigip:Active] config # b save
[root@bigip:Active] config # b load all
OPTIONAL:
If you're a fan of using ssh keys, create a /config/ssh/authorized_keys file and add your public key. Steps 3-5 need to be executed to allow remote connections.
Check your work by logging into the load balancer using your username and password. If you have problems, check /var/log/messages and /var/log/secure for errors.
Good post! Steps 3 and 4 have had me stumped for months now.
Posted by: jason | September 25, 2008 at 09:44 AM