Forum Discussion

Gilles_from_Lux's avatar
Gilles_from_Lux
Icon for Nimbostratus rankNimbostratus
Aug 31, 2017

Add custom Radius attribute "NAS Identifier" in APM

Hi F5 community,

I would like to ask you a question regarding APM and Radius authentication. We have a backend Radius server which can authenticate users in Active Directory ONLY or in Active Directory and One-time-password. So all authentication requests are sent to the Radius Server. We use the NAS Identifier to select "Client Policies" on the Radius server to choose if the user needs AD authentication only or AD+OTP. This can be used together with AD Security groups. So the initial idea was to use these AD Security groups to create a group per Application published on F5. These groups are associated to Client Policies on the Radius server.

So my question is: Is it possible to change the NAS Identifier in VPE or is it possible to add Radius "NAS Identifier" attribute in APM? I found maybe a workaround with

RADIUS::avp replace NAS-Identifier $nasid "string"

 

but I do not fully understand how to implement this on F5? Is this on LTM base or APM and how to receive information about URL visited by the user?

The best solution is to add a Radius attribute "NAS Identifier" in APM?

Kind regards,

Gilles

 

APM
application delivery
LTM
security

2 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Aug 31, 2017

    Hi Gilles,

     

    So my question is: Is it possible to change the NAS Identifier in VPE or is it possible to add Radius "NAS Identifier" attribute in APM? I found maybe a workaround with RADIUS::avp replace NAS-Identifier $nasid "string"

     

    You can set a unique "NAS Identifier" on each Radius server configuration object (aka. Access Policy ›› AAA Servers : RADIUS). But you can't change the value dynamically within VPE.

     

    To meet your requirements without changing the value dynamically, you could simple create two Radius server configuration objects for the same Radius infrastructure, assign a different "NAS Identifier" attributes to each of them and then use VPE to switch the Radius server configuration objects for AD+OTP or plain AD authentication.

     

    Cheers, Kai

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 04, 2017

    Hi Gilles,

    the following config and code may be used for your further developments...

    Virtual Server:

     

    ltm virtual VS_RADIUS_211 {
    destination X.X.X.211%1:radius
    ip-protocol udp
    mask 255.255.255.255
    profiles {
        radiusLB { }
        udp { }
    }
    rules {
        iRule_Radius_NAS_Injection
    }
    source 0.0.0.0%1/0
    translate-address enabled
    translate-port enabled
}

     

    iRule_Radius_NAS_Injection

     

    when CLIENT_DATA {
    if { [RADIUS::avp 1] contains "||" } then {
        log local0.debug "Incomming Radius Request > Username: [RADIUS::avp 1] | NAS: [RADIUS::avp 32]"
        RADIUS::avp replace 32 [getfield [RADIUS::avp 1] "||" 1]
        RADIUS::avp replace 1 [getfield [RADIUS::avp 1] "||" 2]
        log local0.debug "Outgoing Radius Request > Username: [RADIUS::avp 1] | NAS: [RADIUS::avp 32]"
    }
     Selecting radius server and SNAT IP (aka. new Radius Client IP)
    node X.X.X.200%1 1812
    snat [IP::local_addr]
}

     

    Note: After you've implemented the Virtual Server, iRule and your RADIUS Client configuration, simply change the APM RADIUS configuration object to use the just created Virtual Server and keep every other setting as is. After verifying "normal" operation, you could start to prefix your usernames in a scheme of nas-attr||username. When the RADIUS requests passes the iRule it will look for usernames containing a || seperator and if found it will use the provided prefix as the new NAS-Identifier attribute and then remove the prefix from the username. After that the iRule would finally forward the request to the backend RADIUS server.

    Cheers, Kai