Manual Chapter :
Remote User Account Management
Applies To:
Show VersionsBIG-IP AAM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP APM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Analytics
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP Link Controller
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP LTM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP AFM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP DNS
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP ASM
- 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Remote User Account Management
About remote user accounts
Each BIG-IP system requires one or more administrative user accounts. Rather
than store these BIG-IP user accounts locally on the BIG-IP system, you can store BIG-IP user
accounts on a remote authentication server, either LDAP, Active Directory, RADIUS, or TACACS+. In
this case, you create all of your standard BIG-IP user accounts (including user names and
passwords) on the remote server, using the mechanism supplied by that server’s vendor. The remote
server then performs all authentication of those user accounts.
To implement access control for remotely-stored BIG-IP user accounts, you can use the BIG-IP
Configuration utility or
tmsh
. You first specify information for the type of
remote authentication server, and then you configure these access control properties:- User role
- Partition access
- Terminal access
To ensure easy management of access control for remote accounts, the BIG-IP system
automatically creates a single user account named
Other External Users
.
This user account represents all of the remotely-stored BIG-IP user accounts that conform to the
access-control properties defined on the BIG-IP system.Specifying LDAP or Active Directory server information
Before you begin:
- Verify that the BIG-IP system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
- If you want to verify the certificate of the authentication server, import one or more SSL certificates.
You can configure the BIG-IP system to use an LDAP or Microsoft
Windows
Active Directory server for authenticating BIG-IP system user
accounts, that is, traffic that passes through the management interface (MGMT).
The values you specify in this procedure for the
Role
, Partition Access
, and
Terminal Access
settings do not apply to group-based
access control. These values represent the default values that the BIG-IP system
applies to any user account that is not part of a remotely-stored user group. Also,
for the Other External Users
user account, you can modify the
Role
, Partition Access
, and
Terminal Access
settings only when your current partition
on the BIG-IP system is set to Common
. If you attempt to
modify these settings when your current partition is other than
Common
, the system displays an error message.- On the Main tab, click.
- On the menu bar, clickAuthentication.
- ClickChange.
- From theUser Directorylist, selectRemote - LDAPorRemote - Active Directory.
- In theHostfield, type the IP address of the remote server.The route domain to which this address pertains must be route domain0.
- For thePortsetting, retain the default port number (389) or type a new port number.This number represents the port number that the BIG-IP system uses to access the remote server.
- In theRemote Directory Treefield, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.At minimum, you must specify a domain component (that is,dc=[value]).
- For theScopesetting, retain the default value (Sub) or select a new value.This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
- For theBindsetting, specify a user ID login for the remote server:
- In theDNfield, type the distinguished name for the remote user ID.
- In thePasswordfield, type the password for the remote user ID.
- In theConfirmfield, re-type the password that you typed in thePasswordfield.
- In theUser Templatefield, type a string that contains a variable representing the distinguished name of the user, in the format%s.This field can contain only one%sand cannot contain any other format specifiers.For example, you can specify a user template such as%s@siterequest.comoruxml:id=%s,ou=people,dc=siterequest,dc=com.The result is that when a user attempts to log on, the system replaces%swith the user name specified in the Basic Authentication dialog box, and passes that name as the distinguished name for the bind operation. The system also passes the associated password as the password for the bind operation.
- For theCheck Member Attribute in Groupsetting, select the check box if you want the system to check the user's member attribute in the remote LDAP or AD group.
- To enable SSL-based authentication, from theSSLlist selectEnabledand, if necessary, configure these settings:
- From theSSL CA Certificatelist, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
- From theSSL Client Keylist, select the name of the client SSL key.Use this setting only when the remote server requires that the client present a certificate.
- From theSSL Client Certificatelist, select the name of the client SSL certificate.Use this setting only if the remote server requires that the client present a certificate.
- In theLogin LDAP Attributefield, type the account name for the LDAP server.The value for this option is normally the user ID. However, if the server is a Microsoft Windows Active Directoryserver, the value must be the account namesAMAccountName(case-sensitive). The default value is none.
- From theClient Certificate Name Fieldlist:
- Select either a subject alternate name or the subject name (Common Name).
- If you select the subject alternate nameOther Name, then in theOIDfield, type an object identifier (OID).The OID indicates the format and semantics of the subject alternate name.
- For theFallback to Localsetting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
- From theRolelist, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
- From thePartition Accesslist, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
- From theTerminal Accesslist, select either of these as the default terminal access option for remotely-authenticated user accounts:DisabledChoose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.tmshChoose this option when you want the remotely-stored user accounts to have onlytmshaccess to the BIG-IP system.
- ClickFinished.
You can now authenticate administrative user accounts that are stored on a remote
LDAP or Active Directory server. If you have no need to configure access control for
remotely-stored user groups, your configuration tasks are complete.
Specifying client certificate LDAP server information
Verify that the required user accounts for the BIG-IP system
exist on the remote authentication server.
For authenticating BIG-IP system user accounts (that is, traffic that passes
through the management interface [MGMT]), you can configure the BIG-IP system to
authenticate certificates issued by a certificate authority's Online Certificate Status
Protocol (OCSP) responder.
The values you specify in this
procedure for the
Role
, Partition
Access
, and Terminal Access
settings do not
apply to group-based authorization. These values represent the default values or
locally configured user accounts (which override the default role) that the BIG-IP
system applies to any user account that is not part of a remote role group.- On the Main tab, click.
- On the menu bar, clickAuthentication.
- ClickChange.
- From theUser Directorylist, selectRemote - ClientCert LDAP.
- In theHostfield, type the IP address of the remote server.The route domain to which this address pertains must be route domain0.
- For thePortsetting, retain the default port number (389) or type a new port number.This number represents the port number that the BIG-IP system uses to access the remote server.
- In theRemote Directory Treefield, type the file location (tree) of the user authentication database on the client certificate server.At minimum, you must specify a domain component (that is,dc=[value]).
- For theScopesetting, retain the default value (Sub) or select a new value.This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
- For theBindsetting, specify a user ID login for the remote server:
- In theDNfield, type the distinguished name for the remote user ID.
- In thePasswordfield, type the password for the remote user ID.
- In theConfirmfield, re-type the password that you typed in thePasswordfield.
- To enable SSL-based authentication, from theSSLlist selectEnabledand, if necessary, configure these settings:
- From theSSL CA Certificatelist, select the name of a chain certificate; that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
- From theSSL Client Keylist, select the name of the client SSL key.Use this setting only when the remote server requires that the client present a certificate.
- From theSSL Client Certificatelist, select the name of the client SSL certificate.Use this setting only if the remote server requires that the client present a certificate.
- In theCA Certificatefield, type the absolute folder path ofapache-ssl-cert fileobjectfor the CA signing authority.The absolute folder path is/Common/<folder path>/<certificate name>. To determine the absolute folder path of theapache-ssl-cert fileobject, click and note the target certificate's partition and path.Apache certificates can only be stored within/Common.
- In theLogin Namefield, type an LDAP search prefix that will contain the distinguished name (DN) from the user certificate, such asCN.This specifies the LDAP attribute to be used as a login name. The default is disabled.
- In theLogin LDAP Attributefield, type the account name for the LDAP server.The value for this option is normally the user ID. However, if the server is a Microsoft Windows Active Directoryserver, the value must be the account namesAMAccountName(case-sensitive). The default value is none.
- In theLogin Filterfield, type the LDAP attribute that contains the short name of the user.This specifies the filter to be applied on the common name (CN) of the client certificate and usually this is the user ID orsAMAccountName. The filter is a regular expression used to extract required information from the CN of the client certificate that is matched against the LDAP search results. The default is disabled.
- For theDepthsetting, retain the default value (10) or type a new value for verification depth.
- From theClient Certificate Name Fieldlist:
- Select either a subject alternate name or the subject name (Common Name).
- If you select the subject alternate nameOther Name, then in theOIDfield, type an object identifier (OID).The OID indicates the format and semantics of the subject alternate name.
- From theOCSP Overridelist, selectOnorOffto specify whether the system uses a specified OCSP responder to override the CA certificate to authenticate/authorize logon operations.
- If theOCSP Overrideis set toOn, then in theOCSP Responderfield, retain the default value or type the server name or URL that authenticates/authorizes logon operations.The default value islocalhost.localdomain.
- From theRolelist, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
- From thePartition Accesslist, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
- From theTerminal Accesslist, select either of these as the default terminal access option for remotely-authenticated user accounts:DisabledChoose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.tmshChoose this option when you want the remotely-stored user accounts to have onlytmshaccess to the BIG-IP system.
- ClickFinished.
You can now authenticate administrative traffic for user accounts that are stored on
a remote client certificate server. If you have no need to configure group-based user
authorization, your configuration tasks are complete.
Specifying RADIUS server information
Before you begin:
- Verify that the BIG-IP system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a RADIUS server for authenticating
BIG-IP system user accounts, that is, traffic that passes through the management
interface (MGMT).
The values you specify in this procedure for
the
Role
, Partition Access
, and
Terminal Access
settings do not apply to group-based
authorization. These values represent the default values that the BIG-IP system
applies to any user account that is not part of a role group that is defined on the
remote authentication server. Also, for the Other External
Users
user account, you can modify the Role
,
Partition Access
, and Terminal
Access
settings only when your current partition on the BIG-IP
system is set to Common
. If you attempt to modify these
settings when your current partition is other than Common
,
the system displays an error message.- On the Main tab, click.
- On the menu bar, clickAuthentication.
- ClickChange.
- From theUser Directorylist, selectRemote - RADIUS.
- For thePrimarysetting:
- In theHostfield, type the name of the primary RADIUS server.The route domain with which this host is associated must be route domain0.
- In theSecretfield, type the password for access to the primary RADIUS server.
- In theConfirmfield, re-type the RADIUS secret.
- If you set theServer Configurationsetting toPrimary and Secondary, then for theSecondarysetting:
- In theHostfield, type the name of the secondary RADIUS server.The route domain with which this host is associated must be route domain0.
- In theSecretfield, type the password for access to the secondary RADIUS server.
- In theConfirmfield, re-type the RADIUS secret.
- For theFallback to Localsetting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
- From theRolelist, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
- From thePartition Accesslist, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
- From theTerminal Accesslist, select either of these as the default terminal access option for remotely-authenticated user accounts:DisabledChoose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.tmshChoose this option when you want the remotely-stored user accounts to have onlytmshaccess to the BIG-IP system.
- ClickFinished.
You can now authenticate administrative traffic for BIG-IP system user accounts that
are stored on a remote RADIUS server. If you have no need to configure access control
for remotely-stored user groups, your configuration tasks are complete.
Specifying TACACS+ server information
Before you begin:
- Verify that the BIG-IP system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a TACACS+ server for authenticating
BIG-IP system user accounts, that is, traffic that passes through the management
interface (MGMT).
The values you specify in this procedure for
the
Role
, Partition Access
, and
Terminal Access
settings do not apply to group-based
authorization. These values represent the default values that the BIG-IP system
applies to any user account that is not part of a remote role group. Also, for the
Other External Users
user account, you can modify the
Role
, Partition Access
, and
Terminal Access
settings only when your current partition
on the BIG-IP system is set to Common
. If you attempt to
modify these settings when your current partition is other than
Common
, the system displays an error message.- On the Main tab, click.
- On the menu bar, clickAuthentication.
- ClickChange.
- From theUser Directorylist, selectRemote - TACACS+.
- For theFallback to Localsetting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
- For theServerssetting, type an IP address for the remote TACACS+ server.The route domain to which this address pertains must be route domain0.
- ClickAdd.The IP address for the remote TACACS+ server appears in theServerslist.
- In theSecretfield, type the password for access to the TACACS+ server.Do not include the symbol#in the secret. Doing so causes authentication of local user accounts (such asrootandadmin) to fail.
- In theConfirm Secretfield, re-type the TACACS+ secret.
- From theEncryptionlist, select an encryption option:EnabledSpecifies that the system encrypts the TACACS+ packets.DisabledSpecifies that the system sends unencrypted TACACS+ packets.
- In theService Namefield, type the name of the service that the user is requesting to be authenticated to use (usuallyppp).Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are:ppp,slip,arap,shell,tty-daemon,connection,system, andfirewall.
- In theProtocol Namefield, type the name of the protocol associated with the value specified in theService Namefield.This value is usuallyip. Examples of protocol names that you can specify are:ip,lcp,ipx,atalk,vines,lat,xremote,tn3270,telnet,rlogin,pad,vpdn,ftp,http,deccp,osicp, andunknown.
- From theRolelist, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
- From thePartition Accesslist, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
- From theTerminal Accesslist, select either of these as the default terminal access option for remotely-authenticated user accounts:DisabledChoose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.tmshChoose this option when you want the remotely-stored user accounts to have onlytmshaccess to the BIG-IP system.
- ClickFinished.
You can now authenticate administrative traffic for BIG-IP system user accounts that
are stored on a remote TACACS+ server. If you have no need to configure access control
for remotely-stored user groups, your configuration tasks are complete.
Changing the
default access control for remote accounts
You perform this task to change the user role, partition access,
and terminal access that you want the BIG-IP system to assign by default to all
remote users that are members of the user account
Other External Users
.- On the Main tab, click.
- ClickChange.
- From theUser Directorylist, selectRemote - Active Directory,Remote - LDAP,Remote - RADIUS, orRemote - TACACS+.
- From theRolelist, select a user role.The BIG-IP system assigns this user role to any remote account that is not part of a remote user group to which you have explicitly assigned a user role.
- From thePartition Accesslist, select a partition name.All remote user accounts that are members of the BIG-IP accountOther External Userscan have access to either all partitions or the same individual partition. Individual members of this account cannot have access to different partitions.
- From theTerminal Accesslist, selectEnabledorDisabled.
- ClickUpdate.
After you perform this task, most BIG-IP user accounts stored on a remote
authentication server have the specified user role, as well as partition and console
access. Remote accounts that are part of a role group are not subject to these
authentication settings.
About remote user groups
On the BIG-IP system, you can assign access control properties (user role,
partition, and terminal access) to any group of BIG-IP user accounts defined on a remote
authentication server. You can assign these properties by using either the BIG-IP
configuration utility or the Traffic Management Shell (
tmsh
) to
specify the appropriate remote attribute string and line-order for each group of BIG-IP
users, along with the access control values you want to assign to the group.You can configure access control for remote groups of BIG-IP user accounts in these ways:
- By specifying on the BIG-IP system the relevant attribute string and the role, partition access, and terminal access that you want to assign to the group.
- By specifying on the BIG-IP system the relevant attribute string and then using variable substitution (tmshonly).
Note that access control for these group-based user accounts is
separate from the access control assigned to accounts represented by the BIG-IP user account
named
Other External Users
.Configuration examples
Because some types of remote servers allow a user to be a member of multiple user groups,
configuration of user roles and partitions for BIG-IP ®user groups on those
servers can result in conflicts. For example, two separate remote user groups might specify
different roles on the same administrative partition. For a user that is a member of both groups,
this configuration breaks the BIG-IP rule that a user cannot have two roles for any one
partition.
In the case of such conflicts, the BIG-IP system must choose one of the conflicting roles for
the user at login time. The primary way that the BIG-IP system makes this choice is by using line
order. The line order that you specify within each remote role configuration affects how the
system ultimately resolves any conflicts.
By contrast, within a single remote user group, no conflicts occur because the BIG-IP system
prevents administrators from assigning more than role to the same partition.
Example 1: Conflicting role-partition entries within a group
The following example shows that two user roles Guest and Certificate Manager are associated
with the same partition,
A
, for the same remote user group,
BigIPAdminGroup
.This configuration is invalid because no one user can
have more than one role for a specific partition. If an administrative user attempts to implement
this configuration, the BIG-IP system disallows the configuration and displays an error
message.
BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role guest user-partition A attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role manager user-partition B attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role certificate manager user-partition A
Example 2: Conflicting role-partition entries in multiple groups
In the following example, the remote server contains two BIG-IP user groups
BigIPNetworkGroup
andBigIPAdminGroup
, and the
BIG-IP system has three partitions, A
, B
, and
C
.Suppose that user
jsmith
is a member of both
groups. The configuration below shows that on login to the BIG-IP system, user
jsmith
will clearly be assigned the role of Operator for partition
B
, and Manager for partition C
. But for partition
A
, there is a conflict, because a user can have only one role per
partition on the system, and this configuration attempts to assign the roles of both Manager and
Guest for that partition.To resolve the conflict, the BIG-IP system uses line order to determine
which of the conflicting roles to assign to
jsmith
for partition
A
. In this case, the system will choose Manager, the role with the lowest
line-order number (20).BigIPNetworkGroup attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 20 role manager user-partition A attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 10 role operator user-partition B attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 40 role manager user-partition C BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role guestuser-partition A
Example 3: Conflicting role-partition entries due to universal access
In the following example, suppose that user
jsmith
is a member of three
remote user groups: BigIPGuestGroup
,
BigIPOperatorGroup
, and BigipAdminGroup
, and the
BIG-IP system has three partitions, A
, B
, and
C
.In this configuration, the role specified for
BigIPAdminGroup
creates a
conflict, because some entries specify a particular role for each partition, while
BigIPAdminGroup
specifies a role of Administrator for all three
partitions. To resolve the conflict, the BIG-IP system uses the configured line order.Because the line order
for
BigIPAdminGroup
is 9 and therefore not the lowest line-order number,
the BIG-IP system will ignore the role of Administrator for jsmith
,
leaving her with a role of Guest on partitions A
and
C
, and Operator on partition B
. BigIPGuestGroup attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 2 role guest user-partition A BigIPOperatorGroup attribute memberOF=CN=BigIPOperatorGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 10 role operator user-partition B BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 9 role administrator user-partition All BigIPGuestGroup attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 3 role guest user-partition C
Configuring access
control for remote user groups
You perform this task to assign a user role, a corresponding
administrative partition, and a type of terminal access to a remotely-stored group
of user accounts. For a given user group, you can assign as many role-partition
combinations as you need, as long as each role is associated with a different
partition. If the partition you associate with a role is
All
, this entry might or might
not take effect, depending on whether the All
designation conflicts with
other role-partition combinations for that user group. For any conflicts, line order
in the configuration is a consideration. To assign multiple role-partition
combinations for a user group, you repeat this task for each combination, specifying
the same attribute string for each task.- On the Main tab, click.
- On the menu bar, clickRemote Role Groups.
- ClickCreate.
- In theGroup Namefield, type the group name that is defined on the remote authentication server.An example of a group name isBigIPOperatorsGroup.
- In theLine Orderfield, type a number.This value specifies the order of this access control configuration in the file/config/bigip/auth/remoterolefor the named group. The LDAP and Active Directory servers read this file line by line. The order of the information is important; therefore, F5 Networks recommends that you specify a value of1000for the first line number. This allows you, in the future, to insert lines before the first line.
- In theAttribute Stringfield, type an attribute.An example of an attribute string ismemberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net.The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts (excluding any user account for which access control settings are individually configured).
- From theRemote Accesslist, select a value.EnabledChoose this value if you want to enable remote access for the defined user group.DisabledChoose this value if you want to disable remote access for the defined user group. Note that if you configure multiple instances of this remote role group (one instance for each role-partition pair for the attribute string), then choosing a value ofDisableddisables remote access for all user group members, regardless of the remote role group instance.
- From theAssigned Rolelist, select a user role for the remote user group.
- From thePartition Accesslist, select an administrative partition value.AllChoose this value to give users in the defined group access to their authorized objects in all partitions on the BIG-IP system.partition_nameChoose a specific partition name to give users in the defined group access to that partition only.CommonChoose this value to give users in the defined group access to partitionCommononly.
- From theTerminal Accesslist, select the type of command-line access you want to grant users in the group, if any.
- ClickFinishedorRepeat.
After you perform this task, the user group that you specified has the assigned role,
partition access, and terminal access properties assigned to it.
About variable substitution
As an alternative to using the BIG-IP™ Configuration utility to specify
explicit values for access control properties for remote user groups, you can configure the
remote server to return a vendor-specific attribute with variables for role, partition access, and
console access. You can then assign values to those variables (numeric or alphabetic), and you
can use the
tmsh remoterole
command to perform variable substitution for those
access control properties.For example, suppose that you configure a remote RADIUS authentication server to return the
vendor-specific attribute
F5-LTM-User-Info-1
= DC1
, along
with three variables and their values:- F5-LTM-User-Role=400(variable)
- F5-LTM-User-Partition=App_C(variable)
- F5-LTM-User-Console=1(variable)
A user role value of
400
signifies the Operator
user role. The
remoterole
command can use the attribute
F5-LTM-User-Info-1
on which to match. The command can then read the role, user
partition, and console values from the three variables, rather than you specifying them
explicitly. To do this, you specify each of the three variables on the command line, preceded by
the string %
, as arguments.The following shows a sample use of the
remoterole
command. This sample
command matches on the vendor-specific attribute F5-LTM-User-Info-1
and then,
using the above variables, assigns a user role of (Operator
(400
)), access to partition App_C
, and
tmsh
access 1
) to any user accounts that are part of
Datacenter 1 (DC1):tmsh auth remote-role role-info add { DC1 { attribute "F5-LTM-User-Info-1=DC1" console "%F5-LTM-User-Console" role "%F5-LTM-User-Role" user partition "%F5-LTM-User-Partition" line order 1 } }
Values for remote role variables
This table lists the values for the BIG-IP variable
F5-LTM-User-Role
that you use for defining a role for a remotely-stored
user group. For example, a value of 100
to the variable
F5-LTM-User-Role
indicates the Manager user role. User Role |
Value |
---|---|
Administrator |
0 |
Resource-Admin |
20 |
User-Manager |
40 |
Auditor |
80 |
Manager |
100 |
App-Editor |
300 |
Operator |
400 |
Firewall Manager |
450 |
Fraud Protection Manager |
480 |
Certificate-Manager |
500 |
Certificate-Manager |
510 |
Guest |
700 |
Application-Security-Admin |
800 |
Application-Security-Editor |
810 |
Application-Policy-Editor |
850 |
No-Access |
900 |
About terminal access for remote user groups
If you use the Traffic Management Shell (
tmsh
)
remoterole
command to configure console access for a user account within a
remote user group, the BIG-IP™ system behavior differs depending on the value
of the console
option:- If an attribute string for a remote user group has one or more role-partition pairs assigned to that attribute, and you set the value of theconsoleoption totmsh, then on successful authentication the BIG-IP system grants all users in that user grouptmshaccess to the BIG-IP system.
- If you set the value of theconsoleoption todisable(or you do not configure theconsoleoption) for all role-partition combinations assigned to the same attribute string, then the BIG-IP system denies all users in that user grouptmshaccess to the BIG-IP system, even on successful authentication. Note that this does not affect user access to the BIG-IP Configuration utility.
Saving access control settings to a file
You can save the running configuration of the system, including all settings for
remote user authentication and authorization, in a flat, text file with a specified name
and the extension
.scf
. - On the BIG-IP system, access a command-line prompt.
- At the prompt, open the Traffic Management Shell by typing the commandtmsh.
- Typesys save.filenamesys save myConfiguration053107creates the filemyConfiguration053107.scfin thevar/local/scfdirectory.sys save /config/myConfigurationcreates the filemyConfiguration.scfin the/configdirectory.
You can now import this file onto other BIG-IP devices on the network.
Importing BIG-IP configuration data onto other BIG-IP systems
You can use the
tmsh
sys load
command to import a single configuration file (SCF), including
access control data, onto other BIG-IP devices on the network.
This task is optional.
- On the BIG-IP system on which you created the SCF, access a command-line prompt.
- Copy the SCF that you previously created to a location on your network that you can access from the system that you want to configure.
- Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure:
- Open the SCF in an editor.
- Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system.
- If necessary, change the passwords for therootandadminaccounts using the commanduser.namepassword none newpasswordpasswordWhen configuring a unit that is part of a redundant system configuration and that is using the SCF from the peer unit, do not modify therootandadminaccounts. These accounts must be identical on both units of the redundant system.
- Save the edited SCF.
- On the BIG-IP system that you want to configure, open the Traffic Management Shell by typing the commandtmsh.
- Typesys load.scf_filenamesys load myConfiguration053107.scfsaves a backup of the running configuration in the/var/local/scfdirectory, and then resets the running configuration with the configuration contained in the SCF you are loading.
About viewing remote user accounts
Using the BIG-IP Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the user account list.
Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.
Displaying a list of remote user accounts
You perform this task to display a list of remotely-stored user accounts.
- On the Main tab, click.
- On the menu bar, clickAuthentication.
- Verify that theUser Directorysetting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
- On the menu bar, clickUser List.
- View the list of user accounts. Remote user accounts that are assigned the default user role appear asOther External Users.
Viewing access control properties
- On the Main tab, click.
- On the menu bar, clickAuthentication.
- Verify that theUser Directorysetting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
- On the menu bar, clickUser List.
- View the list of user accounts. Remote user accounts that are assigned the default user role appear asOther External Users.
- In the user account list, find the user account you want to view and click the account name. This displays the properties of that user account.