Manual Chapter : Common elements for remote user account configuration

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.0

BIG-IP Analytics

  • 15.0.0

BIG-IP AFM

  • 15.0.0

BIG-IP PEM

  • 15.0.0

BIG-IP ASM

  • 15.0.0

BIG-IP AAM

  • 15.0.0

BIG-IP APM

  • 15.0.0

BIG-IP LTM

  • 15.0.0
Manual Chapter

Common elements for remote user account configuration

  1. On the Main tab, click
    System
    Users
    Authentication
    .
  2. On the menu bar, click
    Authentication
    .
  3. Click
    Change
    .
  4. From the
    Role
    list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  5. From the
    Partition Access
    list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  6. From the
    Terminal Access
    list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Disabled
    Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh
    Choose this option when you want the remotely-stored user accounts to have only
    tmsh
    access to the BIG-IP system.
  7. For the
    Fallback to Local
    setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  8. Click
    Finished
    .
  9. From the
    User Directory
    list, select
    Remote - LDAP
    or
    Remote - Active Directory
    .
  10. In the
    Host
    field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain
    0
    .
  11. For the
    Port
    setting, retain the default port number (
    389
    ) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  12. In the
    Remote Directory Tree
    field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At minimum, you must specify a domain component (that is,
    dc=[value]
    ).
  13. For the
    Scope
    setting, retain the default value (
    Sub
    ) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  14. For the
    Bind
    setting, specify a user ID login for the remote server:
    1. In the
      DN
      field, type the distinguished name for the remote user ID.
    2. In the
      Password
      field, type the password for the remote user ID.
    3. In the
      Confirm
      field, re-type the password that you typed in the
      Password
      field.
  15. In the
    User Template
    field, type a string that contains a variable representing the distinguished name of the user, in the format
    %s
    .
    This field can contain only one
    %s
    and cannot contain any other format specifiers.
    For example, you can specify a user template such as
    %s@siterequest.com
    or
    uxml:id=%s,ou=people,dc=siterequest,dc=com
    .
    The result is that when a user attempts to log on, the system replaces
    %s
    with the user name specified in the Basic Authentication dialog box, and passes that name as the distinguished name for the bind operation. The system also passes the associated password as the password for the bind operation.
  16. For the
    Check Member Attribute in Group
    setting, select the check box if you want the system to check the user's member attribute in the remote LDAP or AD group.
  17. To enable SSL-based authentication, from the
    SSL
    list select
    Enabled
    and, if necessary, configure these settings:
    1. From the
      SSL CA Certificate
      list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the
      SSL Client Key
      list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the
      SSL Client Certificate
      list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  18. From the
    Client Certificate Name Field
    list:
    1. Select either a subject alternate name or the subject name (
      Common Name
      ).
    2. If you select the subject alternate name
      Other Name
      , then in the
      OID
      field, type an object identifier (OID).
      The OID indicates the format and semantics of the subject alternate name.
  19. From the
    OCSP Override
    list, select
    On
    or
    Off
    to specify whether the system uses a specified OCSP responder to override the CA certificate to authenticate/authorize logon operations.
  20. If the
    OCSP Override
    is set to
    On
    , then in the
    OCSP Responder
    field, retain the default value or type the server name or URL that authenticates/authorizes logon operations.
    The default value is
    localhost.localdomain
    .
  21. On the Main tab, click
    System
    File Management
    Apache Certificate List
    Import
    , browse for the certificate file to import, type a name, and click
    Import
    .
    The certificate will be added to the Apache Certificate list.
  22. From the
    User Directory
    list, select
    Remote - ClientCert LDAP
    .
  23. In the
    Host
    field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain
    0
    .
  24. For the
    Port
    setting, retain the default port number (
    389
    ) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  25. In the
    Remote Directory Tree
    field, type the file location (tree) of the user authentication database on the client certificate server.
    At minimum, you must specify a domain component (that is,
    dc=[value]
    ).
  26. For the
    Scope
    setting, retain the default value (
    Sub
    ) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  27. For the
    Bind
    setting, specify a user ID login for the remote server:
    1. In the
      DN
      field, type the distinguished name for the remote user ID.
    2. In the
      Password
      field, type the password for the remote user ID.
    3. In the
      Confirm
      field, re-type the password that you typed in the
      Password
      field.
  28. To enable SSL-based authentication, from the
    SSL
    list select
    Enabled
    and, if necessary, configure these settings:
    1. From the
      SSL CA Certificate
      list, select the name of a chain certificate; that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the
      SSL Client Key
      list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the
      SSL Client Certificate
      list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  29. In the
    CA Certificate
    field, type the absolute folder path of
    apache-ssl-cert fileobject
    for the CA signing authority.
    The absolute folder path is
    /Common/<folder path>/<certificate name>
    . To determine the absolute folder path of the
    apache-ssl-cert fileobject
    , click
    System
    File Management
    Apache Certificate List
    and note the target certificate's partition and path.
    Apache certificates can only be stored within
    /Common
    .
  30. In the
    Login Name
    field, type an LDAP search prefix that will contain the distinguished name (DN) from the user certificate, such as
    CN
    .
    This specifies the LDAP attribute to be used as a login name. The default is disabled.
  31. In the
    Login LDAP Attribute
    field, type the account name for the LDAP server.
    The value for this option is normally the user ID. However, if the server is a Microsoft Windows Active Directoryserver, the value must be the account name
    sAMAccountName
    (case-sensitive). The default value is none.
  32. In the
    Login Filter
    field, type the LDAP attribute that contains the short name of the user.
    This specifies the filter to be applied on the common name (CN) of the client certificate and usually this is the user ID or
    sAMAccountName
    . The filter is a regular expression used to extract required information from the CN of the client certificate that is matched against the LDAP search results. The default is disabled.
  33. For the
    Depth
    setting, retain the default value (
    10
    ) or type a new value for verification depth.
  34. From the
    User Directory
    list, select
    Remote - RADIUS
    .
  35. From the
    Server Configuration
    list, select one of the following options:
    Primary Only
    Specifies that you are using a single RADIUS server only for user authentication.
    Primary and Secondary
    Specifies that you are using a primary RADIUS server plus a secondary RADIUS server, in case the primary server becomes unavailable.
  36. For the
    Primary
    setting:
    1. In the
      Host
      field, type the name of the primary RADIUS server.
      The route domain with which this host is associated must be route domain
      0
      .
    2. In the
      Secret
      field, type the password for access to the primary RADIUS server.
    3. In the
      Confirm
      field, re-type the RADIUS secret.
  37. If you set the
    Server Configuration
    setting to
    Primary and Secondary
    , then for the
    Secondary
    setting:
    1. In the
      Host
      field, type the name of the secondary RADIUS server.
      The route domain with which this host is associated must be route domain
      0
      .
    2. In the
      Secret
      field, type the password for access to the secondary RADIUS server.
    3. In the
      Confirm
      field, re-type the RADIUS secret.
  38. From the
    User Directory
    list, select
    Remote - TACACS+
    .
  39. For the
    Servers
    setting, type an IP address for the remote TACACS+ server.
    The route domain to which this address pertains must be route domain
    0
    .
  40. Click
    Add
    .
    The IP address for the remote TACACS+ server appears in the
    Servers
    list.
  41. In the
    Secret
    field, type the password for access to the TACACS+ server.
    Do not include the symbol
    #
    in the secret. Doing so causes authentication of local user accounts (such as
    root
    and
    admin
    ) to fail.
  42. In the
    Confirm Secret
    field, re-type the TACACS+ secret.
  43. From the
    Encryption
    list, select an encryption option:
    Enabled
    Specifies that the system encrypts the TACACS+ packets.
    Disabled
    Specifies that the system sends unencrypted TACACS+ packets.
  44. In the
    Service Name
    field, type the name of the service that the user is requesting to be authenticated to use (usually
    ppp
    ).
    Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are:
    ppp
    ,
    slip
    ,
    arap
    ,
    shell
    ,
    tty-daemon
    ,
    connection
    ,
    system
    , and
    firewall
    .
  45. In the
    Protocol Name
    field, type the name of the protocol associated with the value specified in the
    Service Name
    field.
    This value is usually
    ip
    . Examples of protocol names that you can specify are:
    ip
    ,
    lcp
    ,
    ipx
    ,
    atalk
    ,
    vines
    ,
    lat
    ,
    xremote
    ,
    tn3270
    ,
    telnet
    ,
    rlogin
    ,
    pad
    ,
    vpdn
    ,
    ftp
    ,
    http
    ,
    deccp
    ,
    osicp
    , and
    unknown
    .