You configure an access policy with a RADIUS Auth action to provide RADIUS authentication as one of authentication options for users trying to gain accesss.
Note: You can use RADIUS authentication in addition to other authentication types. You can require that
users pass at least one type of authentication or that they pass multiple types of authentication. 1. On the Main tab, click Access Policy > Access Profiles.
The Access Profiles List screen opens.
2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
3. Click the (+) icon anywhere in the access policy to add a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy
editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
4. On the Logon tab, select Logon Page and click the Add Item button. The Logon Page Agent properties screen opens.
5. Make any changes that you require to the logon page properties and click Save. The properties screen closes and the visual policy editor displays.
6. Click the (+) icon anywhere in the access policy to add a new action item.
79 BIG-IP® Access Policy Manager®: Authentication and Single Sign-On
Note: Only an applicable subset of access policy items is available for selection in the visual policy
editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
7. From the Authentication tab, select RADIUS Auth and click Add Item. The popup screen closes. A Properties popup screen opens.
8. On the Properties popup screen from the AAA Server list, select the AAA RADIUS server you configured previously and click Save.
The popup screen closes and the visual policy editor displays.
9. Complete the access policy:
a) Add any additional access policy items you require.
b) Change the ending from Deny to Allow on any access policy branch on which you want to grant access.
10.Click Apply Access Policy to save your configuration.
This creates an access policy that collects user credentials and uses them to authenticate with a RADIUS server.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access
profile.
Creating a virtual server
When creating a virtual server for an access policy, specify an IP address for a single host as the destination address.
1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
2. Click the Create button.
The New Virtual Server screen opens.
3. In the Name field, type a unique name for the virtual server.
4. In the Destination Address field, type the IP address for a host virtual server.
This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
5. In the Service Port field, type a port number or select a service name from the Service Port list.
6. From the HTTP Profile list, select http.
7. If you use server SSL for this connection, from the SSL Profile (Server) list, select a server SSL profile.
8. If you use client SSL for this profile, from the SSL Profile (Client) list, select a client SSL profile.
9. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
10.From the Connectivity Profile list, select a connectivity profile.
You can select the default connectivity profile, connectivity if you have not defined a specific profile for the traffic that is directed to this virtual server.
11.Click Finished.
You have configured a host virtual server and associated an access profile with it.
Testing AAA high availability for supported authentication servers
To effectively test that high availability works for your authentication servers, you should have two servers that are accessible, where you can remove one of them from the network.
Note: High availability is supported for these authentication server types only: RADIUS, Active Directory,
LDAP, CRLDP, and TACACS+.
If you configured a supported authentication server type to use a pool of connection servers, you can test the configuration using these steps.
1. Begin atcpdumpon the Access Policy Manager®, using a protocol analyzer, and scanning for packets destined for the specific port for your authentication server.
2. Log in to the virtual server with both servers active.
3. Using thetcpdumprecords, verify that the requests are being sent to the higher priority server.
4. Log out of the virtual server.
5. Disable the higher-priority server.
6. Log in to the virtual server again.
7. Verify that the request is being sent to the other server.
8. Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server.