How to: Configure Radius policies using BIG-IP Central Manager¶
BIG-IP Next Access supports authenticating and authorizing the client against external RADIUS servers. When a client connects with the user name and password, BIG-IP Next Access authenticates against the external server on behalf of the client, and authorizes the client to access resources if the credentials are valid.
Using BIG-IP Next Central Manager GUI¶
The following example creates a new Radius Authentication Access policy using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager. Navigate to the Security canvas > Security > Access > Policies path.
To create a policy, click the Start Creating button. By default, there are no policies created. The Create Policy page opens, and the Visual Policy Designer (VPD) canvas appears.
Select the required policy type radio button. Available policy options are the Per-Session Policy and Per-Request Policy.
In The How would you like to create it? section, select whether to create a policy using the template or from scratch. Available options are Create using a policy template and Start from scratch. Users are recommended to select Create using a policy template option to quickly access the policy.
In the Policy Templates section, select the required policy template. Available options are Logon Page with Active Directory Query and SAML as a Service Provider. When the Logon Page with Active Directory Query is selected, this policy template includes a Logon Page and Active Directory rules for Authentication and Authorization purposes. When the SAML as a Service Provider is selected, this policy template includes SAML Federation and Variable Assign rules to configure for a SAML Service Provider setup.
Click Next. Based on the selection of the policy type, the applicable policy configurations are displayed.
On the General Properties tab, enter a Policy Name for the policy.
Scroll through the remaining properties and revise any value that you want to change from its default setting.
Click Continue. The Session Properties tab of the respective policy page appears.
On the Session Properties tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Logging tab of the respective policy page appears.
On the Logging tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Single Sign-On tab of the respective policy page appears.
The Single Sign-On (SSO) provides seamless access to the applications protected through BIG-IP Next Access. This allows administrators to use more modern authentication techniques, such as SAML or OAuth, and translate it to something the back-end application supports, such as Kerberos or Forms.
On the Single Sign-On tab, click Start Creating to select the required authentication type. Available options are Forms, Forms Client-Initiated, HTTP Basic, Kerberos, and OAuth Bearer. When one of the authentication types is selected, its respective configuration page appears. Fill in the required values in the given fields and save the configuration.
Refer to Single Sign-On methods for more information.Click Continue. The Endpoint Security tab of the respective policy page appears.
On the Endpoint Security tab, choose the applicable version from its default setting.
Click Continue. The Resources tab of the respective policy page appears.
The Resources extend BIG-IP Next Access with additional capabilities such as Network Access, Access Control, Identity Providers, and Webtops.
On the Resources tab, click Start Creating to select the required resource. Available options are Access Control List, Network Access, Webtop, and Webtop Section.
Click Continue. The Connectivity tab of the respective policy page appears.
On the Connectivity tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Continue. The Policy Endings tab of the respective policy page appears.
On the Policy Endings tab, scroll through the properties and revise any value that you want to change from its default setting.
Click Finish. A required access policy is created.
The VPD canvas opens.Note: Prior to establishing the Authentication rule, ensure that you have generated valid Certificate Authority Signed (CSA) SSL certificates. For detailed guidance on certificate management, refer to How to: Manage certificates and keys for a BIG-IP Next instance using BIG-IP Next Central Manager.
Drag an empty flow into the VPD canvas.
On the empty flow, click the
icon.
The flow expands so you can edit it.On the VPD side bar, click the
icon, and then drag the Radius Authentication rule onto the empty flow.Hover the cursor over the Radius Authentication rule and then click the
icon.
The Rule Properties tab of the Rule Configuration page opens.For Name, type the name for the rule.
For Show Extended Error, specify whether to display comprehensive error message generated by the authentication server on the user’s logon page.
Note: This object is intended only for testing, in a production or debugging environment. Your system might be vulnerable to malicious attacks if set to Enabled in a live environment. When set to Disabled, it displays non-comprehensive error messages on the user’s logon page. The default value is Disabled.For Max Logon Attempts Allowed, specify the number of user authentication logon attempts to allow. Select a number to limit the number of times the user can enter credentials through the logon screen when authentication fails. A complete logon and password challenge and response is considered as one attempt. The default value is 3.
For Username Source, specify the session variable name from which the RADIUS item should read the username. The default value is %{session.logon.last.username}.
For Password Source, specify the session variable name from which the RADIUS item should read the password. The default value is %{session.logon.last.password}.
Click Continue. The RADIUS Server tab of the Rule Configurations page opens.
Click Start Creating.
The Radius Server page opens.For Name, specify the name of the RADIUS AAA server. This is a required setting.
Specify the Server Connection.
Select Pool to set up high availability for the AAA server.
Select Direct to set up the AAA server for standalone functionality. (Note: This setting is not supported in the current release.)
Specify the Server Settings.
For the Secret, specify the shared secret password for your RADIUS AAA server and then confirm it in Verify Secret.
For the Service Type, specify the type of service you use on the RADIUS server. Service types are specific to your RADIUS implementation. If you retain the default value, the service type is set to authenticate-only
For the Radius Character Set, specify the character encoding used for the user name and password. The default value is cp1252. The valid values are:
- cp1252: The RADIUS Authentication item decodes the username and password into CP-1252 before sending it to the RADIUS server.
- utf8: The RADIUS Authentication item sends the username and password unmodified.
For the Timeout, specify the number of seconds to wait for a response from the RADIUS AAA server before timing out. The default value is 5.
For Retries, specify the number of times that BIG-IP Next Access tries to connect to the RADIUS AAA server after the first attempt fails. The default value is 3.
Specify the NAS Settings.
For Identifier, specify the string used to identify the NAS that originates the access request.
For IP Address, specify an IPv4 address to identify the NAS in dotted quad notation using the default zone.
For NAS IPv6 Address, specify an IPv6 address to identify the NAS represented as either a full address, shortened or mixed-shortened formats, using the default zone.
Click Save.
The Radius Server settings are saved and displayed for your review.
Click Continue.
The Branches tab of the Rule Configurations page opens.Under Branches, click Create.
The Branches page opens.Under Expression, select a Context, a Condition and a Result for this branch.
Add any (optional) AND or OR branches needed for the policy, and then click Save & Finish.
On the Branches tab of the Rule Configuration page, click Finish.
The VPD canvas displays the revised policy.Review the policy in the VPD canvas; click Save to finish creating the policy.
BIG-IP Next Central Manager adds the policy to the Access Policies list.
Using BIG-IP Next Central Manager API¶
The following example creates a new Radius Authentication Access policy using the BIG-IP Next Central Manager application programming interface (API).
Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.
Create the policy by sending a Post to the
/api/v1/spaces/default/security/access-policiesendpoint.POST https://<big-ip_next_cm_mgmt_ip>/api/v1/spaces/default/security/access-policiesFor the API body, use the following, substituting values appropriate for the policy you want to create.
{ "description": "", "name": "Radiusauth", "policy_type": "PerSession", "properties": [ { "configuration": { "policyType": "PerSession", "name": "Radiusauth", "externalServers": [ { "name": "Radius-Server-09f9f700", "radiusCharacterSet": "cp1252", "retries": 3, "secret": "admin", "serverSide": {}, "serverType": "Radius", "serviceType": "default", "timeout": 5 } ], "policy": { "objectContent": { "macros": [ { "name": "Emptyba05b2f3", "start": { "name": "RADIUS-Authentication-ca0f39f1", "caption": "Fallback", "itemType": "aaa-radius", "maxLogonAttempt": 3, "passwordSource": "%{session.logon.last.password}", "ruleType": "aaa-radius", "serverName": "Radius-Server-09f9f700", "showExtendedError": false, "usernameSource": "%{session.logon.last.username}", "ruleId": "Radius-Auth-52e38a2e", "nextItems": [ { "itemType": "terminal-out", "name": "Allow", "caption": "Branch-98cd7a34", "expression": "expr {( [binary scan \"MY_CLASS\" H* myVar] ? [string first $myVar [mcget {session.radius.last.attr.class}]] != -1 : 0 )}" }, { "caption": "Fallback", "itemType": "terminal-out", "name": "Deny" } ], "isValid": true }, "endings": [ { "name": "Deny", "color": "#D9647A", "default": true }, { "name": "Allow", "color": "#199D4D" } ] } ], "start": { "itemType": "macro-call", "name": "Radiusrule", "macro": "Emptyba05b2f3", "caption": "Fallback", "nextItems": [ { "itemType": "deny", "name": "Deny", "caption": "Deny" }, { "itemType": "allow", "name": "Allow", "caption": "Allow" } ] }, "endings": [ { "name": "Deny", "action": "deny", "color": "#D9647A", "default": true }, { "name": "Allow", "action": "allow", "color": "#199D4D", "default": false } ], "languages": [ "en" ], "defaultLanguage": "en" } }, "scope": "profile", "profileType": "all", "userIdentityMethod": "http", "connectivityAccessPolicyName": "Radiusauth_cap", "timeout": 300, "inactivityTimeout": 900, "maxSessionTimeout": 604800, "maxConcurrentUsers": 0, "maxConcurrentSessions": 0, "maxInProgressSessions": 128, "minFailureDelay": 2, "maxFailureDelay": 5, "domainCookie": "", "secureCookie": false, "persistentCookie": false, "httpOnlyCookie": false, "restrictToSingleClientIP": false, "useHttp503OnError": false, "logoutUriTimeout": 5, "samesiteCookie": false, "samesiteCookieAttrValue": "strict" }, "connectivityProfileConfiguration": { "compressBufferSize": 4096, "compressGzipLevel": 6, "compressGzipMemlevel": 8192, "compressGzipWindowsize": 16384, "compressCpusaver": true, "compressCpusaverHigh": 90, "compressCpusaverLow": 75, "compressionAdaptive": true, "compressionDeflateLevel": 1, "compressionCodecs": [], "pppTunnel": { "profilePpp": {} }, "clientPolicy": { "ecSaveServersOnExit": true, "ecReuseWinlogonSession": false, "ecReuseWinlogonCreds": false, "ecRunLogoffScript": false, "ecWarnBeforeScriptLaunch": true, "ecSavePasswordMethod": "none", "ecSavePasswordTimeout": 240, "ecComponentUpdate": "yes", "serverList": [], "ecLocationDnsList": [], "androidEcRequireDeviceAuth": false, "androidEcSavePasswordMethod": "disk", "androidEcSavePasswordTimeout": 240, "iosEcRequireDeviceAuth": false, "iosEcSavePasswordMethod": "disk", "iosEcSavePasswordTimeout": 240, "macosEcSavePasswordMethod": "disk", "macosEcSavePasswordTimeout": 240, "chromeosEcSavePasswordMethod": "disk", "chromeosEcSavePasswordTimeout": 240, "chromeosEcLogonMethod": "native", "macosEcLogonMethod": "native", "name": "Radiusauth_cap_clientPolicy" }, "name": "Radiusauth_cap", "policyType": "ConnectivityAccessPolicy" }, "loggingConfiguration": [ { "component": "apmd", "level": "NOTICE" }, { "component": "tmm", "level": "NOTICE" }, { "component": "websso", "level": "NOTICE" }, { "component": "renderer", "level": "NOTICE" } ] } ] }
BIG-IP Next Central Manager creates the policy specified by the parameter values used in the body of your POST.
Important: To fully configure this policy, attach this rule to an application. After attaching to an application, make sure to configure the External or AAA servers as well for Radius Authentication. For additional details about managing an application, refer to How to: Manage applications using BIG-IP Next Central Manager and FAST templates.