Configure RADIUS authentication on a BIG-IQ

Overview

You can use the REST API to configure the BIG-IQ so that users can be authenticated with a RADIUS server.

Prerequisites

This example assumes the following.

  • The BIG-IQ is operational, has completed setup and has all system-level configuration in place.
  • When performing the tasks in this example, you will review the RADIUS configuration settings and change them as appropriate for your environment.

Description

You can configure RADIUS authentication on BIG-IQ as follows:

  1. (OPTIONAL) Perform a POST on the providers/radius/evaluate URI to test RADIUS configuration settings and connectivity.
  2. Perform a POST to the providers/radius URI to create the RADIUS authentication provider on the BIG-IQ.
  3. Perform a POST on the RADIUS provider’s group collection to create a user group.
  4. Login with the user to obtain a token.

1. (OPTIONAL) Perform a POST on the providers/radius/evaluate URI to test RADIUS configuration settings and connectivity.

Perform a POST to verify your connectivity to the servers you have listed in the servers field of the POST request body. This will also ensure that you can to bind to the RADIUS server. The response will indicate which servers could be verified.

POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/radius/evaluate

The JSON in the body of the request can look similar to the following.

{
  "providerState": {
    "name":"sample",
    "servers":[
      {
        "host":"198.51.100.0",
        "port":1812
      }
    ],
  },
  "username":"user_rw",
  "password":"user_rw_pw"
}

The JSON in the body of the response can look similar to the following.

{
    "failed": [],
    "generation": 0,
    "kind": "cm:system:authn:providers:radius:evaluate:radiusevaluatestate",
    "lastUpdateMicros": 0,
    "password": "user_rw_pw",
    "providerState": {
        "encryptedSecret": "1w/cFWZ4KttChV4BOVRtSIFhFCfNtc5IgR07CCYMzHd=",
        "generation": 0,
        "lastUpdateMicros": 0,
        "name": "sample",
        "servers": [
            {
                "host": "198.51.100.0",
                "port": 1812
            }
        ],
        "timeoutMillis": 15000
    },
    "succeeded": [
        {
            "host": "198.51.100.0",
            "port": 1812
        }
    ],
    "username": "user_rw"
}

2. Perform a POST to the providers/radius URI to create the RADIUS authentication provider on the BIG-IQ.

Perform a POST to the RADIUS collection URI to create the authentication provider. The following fields are options in the JSON body.

Name Type Default Description
servers.host string none IP address for the RADIUS server
servers.port string none Port number for the RADIUS server
secret string none Secret for the RADIUS server
POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/radius

The JSON in the body of the request can look similar to the following.

{
    "name":"sample",
    "servers":[
      {
        "host":"198.51.100.0",
        "port":1812
      }
    ],
    "secret":"secret"
}

The JSON in the body of the response can look similar to the following.

{
    "encryptedSecret": "2M1TAthjEfozJm+J0meQgaTzbEkq7ljs5UAM1TAtzbD=",
    "generation": 1,
    "groupsReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/user-groups"
    },
    "id": "a290ac19-983d-4122-91e9-c2b9300a4b87",
    "kind": "cm:system:authn:providers:radius:radiusproviderstate",
    "lastUpdateMicros": 1509659240348636,
    "loginReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/login"
    },
    "name": "sample",
    "selfLink": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87",
    "servers": [
        {
            "host": "198.51.100.0",
            "port": 1812
        }
    ],
    "timeoutMillis": 15000,
    "usersReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/users"
    }
}

3. Perform a POST on the RADIUS provider’s group collection to create a user group.

To create a group which the user will be automatically assigned to when the user logs in, you can send a POST request to the RADIUS provider’s group collection. You can use the Attribute Value pairs in the body of the request to specify the group.

POST: https://<BIG-IQ>/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/user-groups

The JSON in the body of the request can look similar to the following.

{
    "name":"sample-group",
    "propertyMap": {
        "F5-LTM-User-Role": "Administrator"
    }
}

The JSON in the body of the response can look similar to the following.

{
    "generation": 1,
    "id": "d9dadef9-e3e7-386c-8d84-582c490d2296",
    "kind": "cm:system:authn:providers:radius:radiususergroupstate",
    "lastUpdateMicros": 1509659601197533,
    "name": "sample-group",
    "propertyMap": {
        "F5-LTM-User-Role": "Administrator"
    },
    "selfLink": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/user-groups/d9dadef9-e3e7-386c-8d84-582c490d2296"
}

4. Login with the user to obtain a token.

After completing the previous steps, you can get an authentication token for a user that exists on the RADIUS server by making a POST to the login endpoint. This token can be used in subsequent requests and will be authorized to access any resources their user reference or group references have permission to access.

POST https://<BIG-IQ>/mgmt/shared/authn/login

The JSON in the body of the request can look similar to the following.

{
    "username":"user_rw",
    "password":"user_rw_pw",
    "loginReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/login"
    }
}

The JSON in the body of the response can look similar to the following.

{
    "generation": 17,
    "lastUpdateMicros": 1509660167293973,
    "loginReference": {
        "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/login"
    },
    "refreshToken": {
        "address": "192.0.2.255",
        "authProviderName": "sample",
        "exp": 1509696167,
        "generation": 52,
        "groupReferences": [
            {
                "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/user-groups/d9dadef9-e3e7-386c-8d84-582c490d2296"
            }
        ],
        "iat": 1509660167,
        "jti": "lSUeHRjuViU8ge_p3NpmYw",
        "kind": "shared:authz:tokens:authtokenitemstate",
        "lastUpdateMicros": 1509660167293796,
        "selfLink": "https://localhost/mgmt/shared/authz/tokens/eyJraWQiOiI0OTI5NDExMi0yZjcyLTQ5NWUtOWI1ZS00Y2NhMWY0YTQ5ZWIiLCJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJCSUctSVEiLCJqdGkiOiJsU1VlSFJqdVZpVThnZV9wM05wbVl3Iiwic3ViIjoidXNlcl9ydyIsImF1ZCI6IjE5Mi4xNjguNDMuNzAiLCJpYXQiOjE1MDk2NjAxNjcsImV4cCI6MTUwOTY5NjE2NywidXNlck5hbWUiOiJ1c2VyX3J3IiwiYXV0aFByb3ZpZGVyTmFtZSI6InNhbXBsZSIsInVzZXIiOiJodHRwczovL2xvY2FsaG9zdC9tZ210L2NtL3N5c3RlbS9hdXRobi9wcm92aWRlcnMvcmFkaXVzL2EyOTBhYzE5LTk4M2QtNDEyMi05MWU5LWMyYjkzMDBhNGI4Ny91c2Vycy9lZWU5YzI1YS1jYjE0LTNmMzctOGRkZi01OTE5ODU3Yzk3NWIiLCJ0eXBlIjoiUkVGUkVTSCIsInRpbWVvdXQiOjM2MDAwLCJncm91cFJlZmVyZW5jZXMiOlsiaHR0cHM6Ly9sb2NhbGhvc3QvbWdtdC9jbS9zeXN0ZW0vYXV0aG4vcHJvdmlkZXJzL3JhZGl1cy9hMjkwYWMxOS05ODNkLTQxMjItOTFlOS1jMmI5MzAwYTRiODcvdXNlci1ncm91cHMvZDlkYWRlZjktZTNlNy0zODZjLThkODQtNTgyYzQ5MGQyMjk2Il19.JgSqTjH-MWdzh4D9DyU-18JjHW4TsHhDgYBUWNLf2Ry2J99P6ASZSwgnw7s2GWgdifLh2N6JWmF2kRWYYy5hQ69JSPoZAOum5pbCveRnC3RQOasihxXN3p6ZmXpbrr6XEZR_R6HJpDMdiELnej6nkbhojtHC7HhYNe0w3LmEmwHsS6xcrUnxw2kTSdBftQSKgqrSmR5jiUxVkGnsHMGxWYFYpfWBZf3Wa5AOCLwfulRkPVx4rbCcjGAMmO1w4huDoZU8qfSER831g8pYIxmaPCnw1XG6C4X27_1zDmicIoVwuOeplWWCu57K7rB3lzG3LL7M9R1YnPGv9YvvhHWDS_d0wmWavzsL9AUJRwg-7elqegqoHjFOOhH430t6_W5ZKN10DwljOjFHnONRgMtOkLKeVntfAO24V2ZH77EM24MalcGrJN8aZ1sr51aQYW-Q4Ud7Gy1sznic5EbjH0WAFSXOuS_DikJqAQ8o57AWMFnCtl1BPi-K1lChej5OcDHG",
        "timeout": 36000,
        "token": "eyJraWQiOiI0OTI5NDExMi0yZjcyLTQ5NWUtOWI1ZS00Y2NhMWY0YTQ5ZWIiLCJhbGciOiJSUzM4NCJ9.eyJpc3MiOiJCSUctSVEiLCJqdGkiOiJsU1VlSFJqdVZpVThnZV9wM05wbVl3Iiwic3ViIjoidXNlcl9ydyIsImF1ZCI6IjE5Mi4xNjguNDMuNzAiLCJpYXQiOjE1MDk2NjAxNjcsImV4cCI6MTUwOTY5NjE2NywidXNlck5hbWUiOiJ1c2VyX3J3IiwiYXV0aFByb3ZpZGVyTmFtZSI6InNhbXBsZSIsInVzZXIiOiJodHRwczovL2xvY2FsaG9zdC9tZ210L2NtL3N5c3RlbS9hdXRobi9wcm92aWRlcnMvcmFkaXVzL2EyOTBhYzE5LTk4M2QtNDEyMi05MWU5LWMyYjkzMDBhNGI4Ny91c2Vycy9lZWU5YzI1YS1jYjE0LTNmMzctOGRkZi01OTE5ODU3Yzk3NWIiLCJ0eXBlIjoiUkVGUkVTSCIsInRpbWVvdXQiOjM2MDAwLCJncm91cFJlZmVyZW5jZXMiOlsiaHR0cHM6Ly9sb2NhbGhvc3QvbWdtdC9jbS9zeXN0ZW0vYXV0aG4vcHJvdmlkZXJzL3JhZGl1cy9hMjkwYWMxOS05ODNkLTQxMjItOTFlOS1jMmI5MzAwYTRiODcvdXNlci1ncm91cHMvZDlkYWRlZjktZTNlNy0zODZjLThkODQtNTgyYzQ5MGQyMjk2Il19.JgSqTjH-MWdzh4D9DyU-18JjHW4TsHhDgYBUWNLf2Ry2J99P6ASZSwgnw7s2GWgdifLh2N6JWmF2kRWYYy5hQ69JSPoZAOum5pbCveRnC3RQOasihxXN3p6ZmXpbrr6XEZR_R6HJpDMdiELnej6nkbhojtHC7HhYNe0w3LmEmwHsS6xcrUnxw2kTSdBftQSKgqrSmR5jiUxVkGnsHMGxWYFYpfWBZf3Wa5AOCLwfulRkPVx4rbCcjGAMmO1w4huDoZU8qfSER831g8pYIxmaPCnw1XG6C4X27_1zDmicIoVwuOeplWWCu57K7rB3lzG3LL7M9R1YnPGv9YvvhHWDS_d0wmWavzsL9AUJRwg-7elqegqoHjFOOhH430t6_W5ZKN10DwljOjFHnONRgMtOkLKeVntfAO24V2ZH77EM24MalcGrJN8aZ1sr51aQYW-Q4Ud7Gy1sznic5EbjH0WAFSXOuS_DikJqAQ8o57AWMFnCtl1BPi-K1lChej5OcDHG",
        "type": "REFRESH",
        "user": {
            "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/users/eee9c25a-cb14-3f37-8ddf-5919857c975b"
        },
        "userName": "user_rw"
    },
    "token": {
        "address": "192.0.2.255",
        "authProviderName": "sample",
        "exp": 1509660467,
        "generation": 51,
        "groupReferences": [
            {
                "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/user-groups/d9dadef9-e3e7-386c-8d84-582c490d2296"
            }
        ],
        "iat": 1509660167,
        "jti": "goZUPtwfAlbhP9_F7nhuFQ",
        "kind": "shared:authz:tokens:authtokenitemstate",
        "lastUpdateMicros": 1509660167275372,
        "selfLink": "https://localhost/mgmt/shared/authz/tokens/bi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
        "timeout": 300,
        "token": "bi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNiLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlcnMvMmM0MmU1Y2YtMBNkYi0zZmVpLTg0ZBQtMjY3MDyTQ5NBUtOBI1ZS00Y2NpMBY0YTQ5ZBIiLCJpbGciOiJSUzM4NCJ9.yyJpc3MiOiJCSUctSVyiLCJqnGkiOiIyTXJuZUV1SUZ4SzlNb2nDaUUuYmx3Iiwic3ViIjoiaXZpbiIsImU1ZCI6Ijy5MiyyJraBQiOiI0OTI5NDyxMi0yZjcyL4xNjguNDMuNzAiLCJpYXQiOjy1MDk1NzgyMjAsImV4cCI6MTUwOTU3ODUyMCwinXNlck5pbBUiOiJpnmUuIiwiYXV0aUByb3ZpZGVyTmUtZSI6InNpbXBsZSIsInVzZXIiOiJonHRwczovL2xvY2UsaG9znC9tZ210L2NtL3N5c3RlbS9pnXRo4ZBYxNTyxIiwinHlwZSI6IkUDQ0VTUyIsInRpbBVvnXQiOjMwMCwiZ3JvnXBSZBZlcmVuY2VzIjpbImp0nHBzOi8vbG9jYBxob3N0L21nbXQvY20vc3lznGVtL2U1nGpuL3Byb3ZpZGVycy9sZGUwLzI0MTRpMzA3LTnlM2ItNGY4Ny04OBNmLTUjZjM0ODpiODZlNC91c2VyLBnyb3Vwcy81ZTpmZjliZi01NBJpLTM1MDgtOTk5ZC0yMmU5ODQxMjliZTYiLCJonHRwczovL2xvY2UsaLTRmODctODljZi0xY2YzNDg4Yjg2ZTQvnXNlci1ncm91cHMvMTVjMBI5MDytNGZmYy0zNjQzLTg1ZBQtOTg0MDU3ZTliMTUyIl19.cVUCUc239bwSnRuXlpUpAGJ0p7nRTuAfc4sblSOPPaunb9cXkaiCa94LkyUUCfP53wy76G9znC9tZ210L2NtL3N5c3RlbS9pnXRobi9wcm92aBRlcnMvbGRpcC8yNDy0YTMwNy03ZTNirIC4ywuYgDNiDUxAZU18BNsBynq8SItuyBcbH9UyL4nzVMbQnBwJKBjzRoKIbZpnNjkoNBPmHimos9QXyZymr22pQpHpIJXZI-1k2192ACH4jpABfv3n5Z3aOTQBUYTQLXbB3TU5cYMyymp7SxBzjCfrnUUKygpGr80tAn-Ll7lUASt_L-SgamHD3uHkX7c29pI4mrQPU2gaSNwQnZaKs-Gv1uryV4y_PfTKLymxzMkJyoKPoPyzsxLnnbmZ3cP6y42MI7PrN75_p2GUnowupQbis_qkUicrwt7Q3upokkp3b5PJ9LCIQSip7LPQTQ4bDzYJUPpyoypTR1nHQru_y6vqmmv5jYHirDCI1nZu97lV7Ho3bPQPnjJTZLH_nZAA8RIo9y4U7APAqc9Lt6HncMBHvSvr8VwcTaBK8g2v0tBPLnnDGYauyYpNf93",
        "type": "ACCESS",
        "user": {
            "link": "https://localhost/mgmt/cm/system/authn/providers/radius/a290ac19-983d-4122-91e9-c2b9300a4b87/users/eee9c25a-cb14-3f37-8ddf-5919857c975b"
        },
        "userName": "user_rw"
    },
    "username": "user_rw"
}