How to: Configure RADIUS Auth Provider using BIG-IP Next Central Manager

Overview

The RADIUS protocol provides access control for network devices using one or more centralized servers. RADIUS operates over User Datagram Protocol (UDP) and provides authentication, authorization, and accounting (AAA) management for users connecting to a network service. You can change the authentication source for BIG-IP Next Central Manger users from using the local database to using an external authentication source, such as RADIUS. Configuring the remote RADIUS authentication source specifies that the BIG-IP Next Central Manager uses a remote RADIUS server to authenticate users.

Procedure

Configure RADIUS Auth Provider for Administrative users

  1. Log in to BIG-IP Next Central Manager as admin.

  2. Click the Workspace icon next to the F5 icon, click System, and then click Auth Providers. The New Auth Providers screen opens.

  3. Select the RADIUS checkbox from the Select Provider Types drop-down in the External Authentication Provider section.

  4. Click the Configure button next to the RADIUS A new screen appears, allowing you to enable and configure the RADIUS authentication provider.

  5. Turn on the radio button to Enable this Auth Provider.

    Note: The administrator can Enable or Disable the Auth provider. If the provider is disabled, users will not see the authentication providers drop-down on the BIG-IP Next Central Manager login screen.

  6. In the Server settings, click the Start Adding button or click + Add Row to add an authentication server.

    • Host: Specifies the name of the primary RADIUS server.

    • Port: Specifies the port for primary RADIUS server communications. The default is 49.

      Note: You can click + Add Row to add more number of servers.

    • Secret: specify the secret of the RADIUS server.

    • To delete a server from the list, select the checkbox next to the server, then click Remove in the top right corner.

      Note: At least one server is required to enable the Remove button.

    • To verify these settings, type a Test User Name and the Test Password, and click the Test button. If the test connection is successful, a Success message will appear.

    • Click Save. The Auth Providers screen displays ‌RADIUS Configured as the External Authentication Provider.

Add a RADIUS user to the BIG-IP Next Central Manager

  1. Log in to BIG-IP Next Central Manager as admin.

  2. Click the Workspace icon next to the F5 logo and then click System.

  3. On the left, click Users.

  4. Click the + Add button on the right. The New User panel opens.

  5. In the Properties Section, select the RADIUS as the Auth Provider from the drop-down.

  6. Enter a Username and optional Display Name and Email Address.

  7. Select the Standard Role or Administrator role you want to assign to this user.

Note: If you choose the Standard role, you can assign multiple roles to a single user. Refer How to: Assign standard roles to users.

  1. Click the Add User button.

Login as a RADIUS user on the BIG-IP Next Central Manager

  1. On the BIG-IP Next Central Manager Login screen, select RADIUS as the Auth Provider from the drop-down menu, then enter your User Name and Password.

Note: If you select RADIUS as the Auth Provider, users will not have the option to change their passwords.

Edit the RADIUS Configuration

  1. Log in to BIG-IP Next Central Manager as admin.

  2. Click the Workspace icon next to the F5 icon, click System, and then click Auth Providers. The New Auth Providers screen opens.

  3. In the External Authentication Provider section, click the edit icon next to RADIUS Configured in the Select Provider Types drop-down. A new screen displays to enable and configure the RADIUS Auth provider.

  4. Modify the settings for the RADIUS server and click Save.

Modify a Role for the RADIUS user

  1. Log in to BIG-IP Next Central Manager as admin.

  2. Click the Workspace icon next to the F5 logo and then click System.

  3. On the left, click Users.

  4. Click on the username for which you want to modify the role. The User Information screen displays.

  5. In the Assign Role(s) section, you can change a user role from Standard Role to Administrator or from Administrator to Standard Role.

  6. Click the Save button.

Prerequisite

Procedures

To configure RADIUS users using Central Manager APIs:

  1. Configure RADIUS server by sending the POST request to /v1/spaces/default/auth-providers endpoint.

POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/auth-providers

For the request payload, use the following example and substitute appropriate values as required.

{
    "provider_type": "RADIUS",
    "content": {
        "servers": [
            {
                "host": "{{radius_host}}",
                "port": {{radius_port}}
            }
        ],
        "secret": "XYZnetworks"
}

For more information about configuring RADIUS server using BIG-IP Next Central Manager APIs, see OpenAPI dcoumentation.

  1. Test the user availability in RADIUS server by sending the POST request to /spaces/default/auth-providers/validate endpoint.

POST https://{{cm_mgmt_ip}}/api/v1/spaces/default/auth-providers/validate

For the request payload, use the following example, substituting appropriate values for the roles you want to create.

{
    "provider_type": "RADIUS",
    "validation_type": "authenticateUser",
    "name": "RADIUS",
    "content": {
        "servers": [
            {
                "host": "{{radius_host}}",
                "port": {{radius_port}}
            }
        ],
        "secret": "XYZnetworks"
    },
    "username": "{{radius_user_1}}",
    "password": "{{radius_user_1_password}}"
}

For more information about validating RADIUS server using BIG-IP Next Central Manager APIs, see OpenAPI dcoumentation.

  1. Create RADIUS user with roles such as administrator or standard role by sending the POST request to the /system/v1/users endpoint.

POST https://{{cm_mgmt_ip}}/api/system/v1/users

For the request payload, use the following example, modifying the values as required. role_type: Change role type to Administrator or Standard role as per the requirement. For a RADIUS user, provider_type and provider_name must be RADIUS.

{
    "username": "{{radius_user_1}}",
    "password": "",
    "role_type": "Administrator",
    "provider_type": "RADIUS",
    "provider_name": "RADIUS"
}

For more information about creating users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  1. Retrieve the list of roles with IDs by sending the GET request to /system/v1/roles endpoint.

GET https://{{cm_mgmt_ip}}/api/system/v1/roles

For more information about retrieving the list of roles using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  1. Assign roles to RADIUS users, by sending the POST request to /system/v1/users/{radius_user_id}/roles endpoint.

POST https://{{cm_mgmt_ip}}/api/system/v1/users/{radius_user_id}/roles

For the request payload, use the following example, substituting appropriate values as required.

role_ids: Change the role ids as per the requirement.

{
    "role_ids": [
        "{{admin-role-id}}"
    ]
}

For more information about assigning roles to users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  1. Test the RADIUS server connection by sending the POST request to system/v1/auth-providers/login endpoint.

POST https://{{cm_mgmt_ip}}/api/system/v1/auth-providers/login

For the request payload, use the following example, substituting appropriate values as required.

{
    "provider_type": "RADIUS",
    "name": "RADIUS",
    "username": "{{radius_user_1}}",
    "password": "{{radius_user_1_password}}"
}
  1. Login as created user by sending the POST request to /api/login endpoint.

POST https://{{cm_mgmt_ip}}/api/login
{
    "username": "test",
    "password": "test",
    "provider_type": "RADIUS",
    "provider_name": "RADIUS"
}
  1. Logout a user by sending the POST request to /api/logout endpoint.

POST https://{{cm_mgmt_ip}}/api/logout

For more information about this request, see OpenAPI documentation.