NimbostratusRemote - RADIUS Authentication and role groups
So, I’ve managed to configure our test LTM pair so that I can login to them via Radius with either a kerberos id, or with a static account.
However, I’ve an issue with understanding the functionality of “Other External users” versus Remote Role Groups, not to mention I can find little documentation on how one sets up Radius so that it tells the LTM that a particular user is a member of a specific Remote user group.
I understand how to set the Resource admin role for a user—it would look something like either of the following in the Radius config users file;
testuser Auth-Type := Kerberos F5-LTM-User-Role = 100, F5-LTM-User-Info-1 = mgmt, F5-LTM-User-Partition = TestRadius, F5-LTM-User-Shell = tmsh
or
testadmin Auth-Type := Local, Cleartext-Password := "munged" F5-LTM-User-Role = 700, F5-LTM-User-Info-1 = mgmt, F5-LTM-User-Partition = Common, F5-LTM-User-Shell = tmsh
But I can find nothing about how to configure radius so that it tells the F5 that either user is a member of a particular remote role group. Article K14324: “Using F5 vendor-specific attributes with RADIUS authentication” implies that if I have a remote role guest group set up and I pass “F5-LTM-User-Role = 700,” along as part of the user login then the user, based on the Access-Accept response and the remote role configuration, would be assigned the guest access to the BIG-IP system. After multiple attempts, I can state that this is not so. The putative remote role group membership is, as far as I can tell, completely ignored in favor of the settings within the “Other External users” setup. In this case the “Other External users” role defaults to Administrator, so a user that is ostensibly a guest on the system can do whatever he damn well likes.
Presuming that I do eventually figure out how to configure radius to deal with group membership, in what order does the LTM evaluate the general setting of “Other External users” versus Remote role group? My supposition was that “Other External users” would be looked at after membership in the remote old groups, yet my experience thus far argues otherwise, and there is no clear statement that this is the case in the documentation.