Before you set up an access policy to use RADIUS accounting, you must have at least one RADIUS AAA server configured. You should also have an access profile that is configured with actions that authenticate the user.
You add a RADIUS accounting action to an access policy to send RADIUS start and stop messages to a RADIUS server. RADIUS accounting does not authenticate a user.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
3. Click the (+) icon anywhere in the access policy to add a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy
editor for any access profile type.
A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
4. From the Authentication tab, select RADIUS Acct and click Add Item. The popup screen closes. A properties popup screen opens.
5. From the AAA Server list, select a RADIUS accounting server and click Save. The properties popup screen closes and the visual policy editor displays.
6. Click Apply Access Policy to save your configuration. This adds the RADIUS accounting action to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access
profile.
87 BIG-IP® Access Policy Manager®: Authentication and Single Sign-On
Verifying log settings for the access profile
Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and
disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
2. Click the name of the access profile that you want to edit. The properties screen opens.
3. On the menu bar, click Logs.
The access profile log settings display.
4. Move log settings between the Available and Selected lists.
You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
Note: Logging is disabled when the Selected list is empty.
5. Click Update.
An access profile is in effect when it is assigned to a virtual server.
RADIUS authentication and accounting troubleshooting tips
You might run into problems with RADIUS authentication and accounting in some instances. Follow these tips to try to resolve any issues you might encounter.
RADIUS authentication and accounting access policy action troubleshooting Possible explanations and actions
Possible error messages
Authentication failed due to timeout
• Verify that Access Policy Manager®is configured as a client on the RADIUS server.
• You might have encountered a general network connection problem. Authentication failed
due to RADIUS access reject
• Verify that the shared secret on the RADIUS server is valid. • Verify that user credentials are entered correctly.
Additional troubleshooting tips for RADIUS authentication and accounting Steps
Action
Check to see if your access policy is attempting to perform authentication
• Add message boxes to your access policy to display information about what the access policy is attempting to do.
• Refer to/var/log/apmto view authentication and accounting attempts by the access policy.
Note: Make sure that your log level is set to the appropriate level. The
default log level isnotice.
Check the RADIUS Server configuration
• Confirm that the Access Policy Manager is registered as a RADIUS client. Since the Access Policy Manager makes requests from the self IP address to the RADIUS server for authentication requests, the address of the self-IP address should be registered as a RADIUS client. • Check the RADIUS logs and check for any errors.
Confirm network connectivity • Access the BIG-IP®system through the command line interface and check your connectivity by pinging the RADIUS server using the host entry in the AAA Server box.
• Confirm that the RADIUS port 1812 is not blocked between the Access Policy Manager and the RADIUS server.
Capture a TCP dump • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %TCP dump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP address is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server.
• Run the authentication test. After authentication fails, stop the TCP dump, download the TCP dump records to a client system, and use an analyzer to troubleshoot.
Important: If you decide to escalate the issue to customer support, you
must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.
89 BIG-IP® Access Policy Manager®: Authentication and Single Sign-On