Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1764
Views
0
Helpful
7
Replies

Device Administration for F5 using RADIUS

Go to solution
Bogieboogi1
Level 1
Level 1

‎08-19-2018 10:39 PM

I´m currently running two ISE appliance on my customer for PoC which will be starting soon.

Currently, I`m facing an issue with some a pair of F5 load balancers. 

Policy Sets are fine, on the Radius live log site I can see that the requests are hitting the established rules.

It chooses the right Authentication set, Authorization set as well as the Authorization set.

The point here is that I`m not able to get a command shell prompt after entering the credentials. It stays empty and after some time it requests the password again. 

 

My Authorization Profile has the following attributes :

Access Type = ACCESS_ACCEPT
F5-LTM-User-Role = 0
F5-LTM-User-Console = 1
F5-LTM-User-Info-1 = Administrator
F5-LTM-User-Shell = enable
F5-LTM-User-Partition = Common

 

I running out of ideas currently. Loadbalancer shows the following log:

Aug 17 08:40:31 lb-a1s-hcpp-01 err sshd[3301]: pam_radius_auth: RADIUS server 147.204.66.88 failed to respond
Aug 17 08:40:34 lb-a1s-hcpp-01 err sshd[3301]: pam_radius_auth: RADIUS server 147.204.66.88 failed to respond
Aug 17 08:40:37 lb-a1s-hcpp-01 err sshd[3301]: pam_radius_auth: RADIUS server 147.204.66.88 failed to respond
Aug 17 08:40:40 lb-a1s-hcpp-01 err sshd[3301]: pam_radius_auth: RADIUS server 147.204.66.88 failed to respond
Aug 17 08:40:40 lb-a1s-hcpp-01 err sshd[3301]: pam_radius_auth: All RADIUS servers failed to respond.
Aug 17 08:40:40 lb-a1s-hcpp-01 warning sshd[3301]: pam_unix(sshd:auth): check pass; user unknown
Aug 17 08:40:40 lb-a1s-hcpp-01 notice sshd[3301]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.204.66.17
Aug 17 08:40:42 lb-a1s-hcpp-01 err sshd[3298]: error: PAM: Authentication failure for Cxxxxxxxx(USER) from 147.204.66.17
Aug 17 08:42:24 lb-a1s-hcpp-01 warning sshd[3302]: pam_unix(sshd:auth): check pass; user unknown
Aug 17 08:42:24 lb-a1s-hcpp-01 notice sshd[3302]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=147.204.66.17
Aug 17 08:42:26 lb-a1s-hcpp-01 err sshd[3302]: error: ssh_msg_send: write

 

 

Hope to get some input here and find the possible cause of this

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Bogieboogi1

‎08-21-2018 07:01 AM

Please contact me directly and I can assist howon@cisco.com.

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to howon

‎08-21-2018 07:06 AM

If you get it working, I would like to know why it wasn't working with the setup I posted. I have used that in the past with no issues.


View solution in original post

0 Helpful

Go to solution
Bogieboogi1
Level 1
Level 1
In response to Bogieboogi1

‎08-30-2018 07:58 AM

Hi,

 

we finally found out the issue. It was an ACL on an outbound switch that was blocking the UDP communication between the ISE and the device.

The communication issue was detected during a troubleshooting session with Hosuk.

Thanks in this part for the great support.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul
Level 10
Level 10

‎08-20-2018 06:18 AM

I looked at my notes from a few years ago and all I had to do was set the F5-LTM-User-Info-1 value to the role I wanted in F5 and made sure the role had terminal access.  My read-only role had no terminal access set.

 

F5 Screen.jpg

0 Helpful

Go to solution
Bogieboogi1
Level 1
Level 1
In response to paul

‎08-21-2018 06:40 AM

Hi,

 

that has been set already. The F5 is working proper towards and ACS system which runs TACACS and RADIUS. We are trying to check the ISE as the ACS is end of life. 

 

However, we tried today to authenticate an Aruba Wireless Controler, and there again. The same result. We are not getting a SSH prompt. We used the same Aruba attributes as the RADIUS system that is in place.

 

My assumption is still that the attributes are not communicated right to the devices and back.

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Bogieboogi1

‎08-21-2018 07:01 AM

Please contact me directly and I can assist howon@cisco.com.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to howon

‎08-21-2018 07:06 AM

If you get it working, I would like to know why it wasn't working with the setup I posted. I have used that in the past with no issues.


0 Helpful

Go to solution
Bogieboogi1
Level 1
Level 1
In response to paul

‎08-23-2018 01:34 AM

Sure I will post all outcome and the solution
0 Helpful

Go to solution
Bogieboogi1
Level 1
Level 1
In response to howon

‎08-23-2018 01:33 AM

Hey,

 

I will send you today later an email so that we can discuss the issue further

0 Helpful

Go to solution
Bogieboogi1
Level 1
Level 1
In response to Bogieboogi1

‎08-30-2018 07:58 AM

Hi,

 

we finally found out the issue. It was an ACL on an outbound switch that was blocking the UDP communication between the ISE and the device.

The communication issue was detected during a troubleshooting session with Hosuk.

Thanks in this part for the great support.

0 Helpful
Customers Also Viewed These Support Documents