Forum Discussion

rafaelbn_176840's avatar
rafaelbn_176840
Icon for Altocumulus rankAltocumulus
Feb 05, 2018

RADIUS admin authentication going out with the wrong source-ip

Hello Devs! How are you guys doing?!

 

I came across a very strange thing.

 

We have a Viprion 2400 chassis with one 2150 blade in it. We created a single vCMP and configured it to radius auth for admin users.

 

Everything was working fine but after some tests (which included reloads on the blade) the RADIUS auth stopped working.

 

After some digging I found out that the packets were coming out of the F5 through one of it's self IPs instead of the management interface. Here:

 

root@(RCCEBTF5MCK-04-vCMP01)(cfg-sync In Sync)(/S1-green-P:Standby)(/Common)(tmos) list net self
net self SLF_VLAN_3102_INTERCONEXAO {
    address 10.53.0.102/28
    traffic-group traffic-group-local-only
    vlan VLAN_3102_INTERCONEXAO

root@(RCCEBTF5MCK-04-vCMP01)(cfg-sync In Sync)(/S1-green-P:Standby)(/Common)(tmos) tcpdump -nni 0.0 host 10.243.190.28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:24:41.183981 IP 10.53.0.102.3161 > 10.243.190.28.1812: RADIUS, Access Request (1), id: 0x0d length: 88 out slot1/tmm0 lis=
15:24:44.186779 IP 10.53.0.102.3161 > 10.243.190.28.1812: RADIUS, Access Request (1), id: 0x0d length: 88 out slot1/tmm0 lis=
15:24:47.189886 IP 10.53.0.102.3161 > 10.243.190.28.1812: RADIUS, Access Request (1), id: 0x0d length: 88 out slot1/tmm0 lis=
15:24:50.192702 IP 10.53.0.102.3161 > 10.243.190.28.1812: RADIUS, Access Request (1), id: 0x0d length: 88 out slot1/tmm0 lis=
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel


[root@RCCEBTF5MCK-04-vCMP01:/S1-green-P:Standby:In Sync] config  tailf /var/log/secure
Feb  5 15:21:26 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.28 failed to respond
Feb  5 15:21:29 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.28 failed to respond
Feb  5 15:21:32 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.28 failed to respond
Feb  5 15:21:35 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.28 failed to respond
Feb  5 15:21:38 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.29 failed to respond
Feb  5 15:21:41 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.29 failed to respond
Feb  5 15:21:44 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.29 failed to respond
Feb  5 15:21:47 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: RADIUS server 10.243.190.29 failed to respond
Feb  5 15:21:47 slot1/RCCEBTF5MCK-04-vCMP01 err sshd[1939]: pam_radius_auth: All RADIUS servers failed to respond.

As far as I know:

 

  1. This traffic is management, so it should leave the big-ip with the source IP of the management interface;

     

  2. There's no way of specifying the source ip when configuring RADIUS auth for admin users on LTM;

     

Currently the viprion is running code (13.0.0 Hotfix HF3 3.0.1679) and the vCMP is running code (12.1.2 Hotfix HF2 2.0.276).

 

What am I missing here?

 

1 Reply

  • Hi,

    The management interface is for management only (incoming connections only)

    All outgoing connections leave bigip according to routing table.

    If you want to change that behavior, you have to add a new management route to radius server.

    This can be done through tmsh command

    create sys management-route