« F5 Big-IP 6400 LTM 9.3.1 - Enable Connection Auto Lasthop via command line | Main | Ubuntu on Thinkpad T43 laptop - Numlock stuck 'on' »

September 19, 2008

F5 Big-IP 6400 LTM 9.3.1 - Configure remote login using RADIUS via command line.

First, I want to clarify that I am not talking about load balancing radius authentications. This post is strictly for setting up a load balancer to use radius for authenticating users who wish to gain access to the device via SSH (port 22) and HTTPS (port 443).

First, if you are primarily using the GUI, this document won't help ya. When making changes via GUI inline with command line updates, problems occur. Configuration settings may not successfully load (sometimes). Kind of a weird issue. F5 support even suggests avoiding this.

I am assuming that the load balancer already has access to the remote server that will provide authentication. Meaning, the interfaces and routes are configured correctly (as well as the RADIUS server itself).

So, with that said, here's what ya need to setup radius authentication. You can either edit the bigip.conf file directly, or simply use the bigpipe command for steps 1 and 2. For those of you who are wondering, the 'b' command is short for bigpipe. if you enter bigpipe by itself in command line, you'll get a list of all commands available.

STEP 1 - add the radius server:
[root@bigip:Active] config # b radius server system_auth_name1 { server "192.168.1.1" service 1645 secret "password1234" }

STEP 2 - configure the load balancer to use radius for authentication:
[root@bigip:Active] config # b auth radius system-auth { server system_auth_name1 }

STEP 3 - enable the remote access key in the DB:
[root@bigip:Active] config # b db Users.RemoteConsoleAccess enable

STEP 4 - copy and edit the file /config/bigip/auth/userroles:
[root@bigip:Active] config # cp userroles userroles.back
[root@bigip:Active] config # vi userroles
make sure this value is set to 1
> remoteconsoleaccess 1

*** I know what you are thinking... the file says something about not editing. I'm not sure, but I think it gets updated from the GUI.

STEP 5 - save your changes and reload the config:
[root@bigip:Active] config # b save
[root@bigip:Active] config # b load all

OPTIONAL:
If you're a fan of using ssh keys, create a /config/ssh/authorized_keys file and add your public key. Steps 3-5 need to be executed to allow remote connections.

Check your work by logging into the load balancer using your username and password. If you have problems, check /var/log/messages and /var/log/secure for errors.

Posted at 04:25 AM in F5 BigIP LTM |

Comments

Good post! Steps 3 and 4 have had me stumped for months now.

Posted by: jason | September 25, 2008 at 09:44 AM

The comments to this entry are closed.