Manual Chapter : Remote User Account Management

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Remote User Account Management

About remote user accounts

Each BIG-IP system requires one or more administrative user accounts. Rather than store these BIG-IP user accounts locally on the BIG-IP system, you can store BIG-IP user accounts on a remote authentication server, either LDAP, Active Directory, RADIUS, or TACACS+. In this case, you create all of your standard BIG-IP user accounts (including user names and passwords) on the remote server, using the mechanism supplied by that server’s vendor. The remote server then performs all authentication of those user accounts.
To implement access control for remotely-stored BIG-IP user accounts, you can use the BIG-IP Configuration utility or
tmsh
. You first specify information for the type of remote authentication server, and then you configure these access control properties:
  • User role
  • Partition access
  • Terminal access
To ensure easy management of access control for remote accounts, the BIG-IP system automatically creates a single user account named
Other External Users
. This user account represents all of the remotely-stored BIG-IP user accounts that conform to the access-control properties defined on the BIG-IP system.

Specifying LDAP or Active Directory server information

Before you begin:
  • Verify that the BIG-IP system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
  • If you want to verify the certificate of the authentication server, import one or more SSL certificates.
You can configure the BIG-IP system to use an LDAP or Microsoft Windows Active Directory server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
The values you specify in this procedure for the
Role
,
Partition Access
, and
Terminal Access
settings do not apply to group-based access control. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remotely-stored user group. Also, for the
Other External Users
user account, you can modify the
Role
,
Partition Access
, and
Terminal Access
settings only when your current partition on the BIG-IP system is set to
Common
. If you attempt to modify these settings when your current partition is other than
Common
, the system displays an error message.
  1. On the Main tab, click
    System
    Users
    Authentication
    .
  2. On the menu bar, click
    Authentication
    .
  3. Click
    Change
    .
  4. From the
    User Directory
    list, select
    Remote - LDAP
    or
    Remote - Active Directory
    .
  5. In the
    Host
    field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain
    0
    .
  6. For the
    Port
    setting, retain the default port number (
    389
    ) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  7. In the
    Remote Directory Tree
    field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At minimum, you must specify a domain component (that is,
    dc=[value]
    ).
  8. For the
    Scope
    setting, retain the default value (
    Sub
    ) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  9. For the
    Bind
    setting, specify a user ID login for the remote server:
    1. In the
      DN
      field, type the distinguished name for the remote user ID.
    2. In the
      Password
      field, type the password for the remote user ID.
    3. In the
      Confirm
      field, re-type the password that you typed in the
      Password
      field.
  10. In the
    User Template
    field, type a string that contains a variable representing the distinguished name of the user, in the format
    %s
    .
    This field can contain only one
    %s
    and cannot contain any other format specifiers.
    For example, you can specify a user template such as
    %s@siterequest.com
    or
    uxml:id=%s,ou=people,dc=siterequest,dc=com
    .
    The result is that when a user attempts to log on, the system replaces
    %s
    with the user name specified in the Basic Authentication dialog box, and passes that name as the distinguished name for the bind operation. The system also passes the associated password as the password for the bind operation.
  11. For the
    Check Member Attribute in Group
    setting, select the check box if you want the system to check the user's member attribute in the remote LDAP or AD group.
  12. To enable SSL-based authentication, from the
    SSL
    list select
    Enabled
    and, if necessary, configure these settings:
    1. From the
      SSL CA Certificate
      list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the
      SSL Client Key
      list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the
      SSL Client Certificate
      list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  13. In the
    Login LDAP Attribute
    field, type the account name for the LDAP server.
    The value for this option is normally the user ID. However, if the server is a Microsoft Windows Active Directoryserver, the value must be the account name
    sAMAccountName
    (case-sensitive). The default value is none.
  14. From the
    Client Certificate Name Field
    list:
    1. Select either a subject alternate name or the subject name (
      Common Name
      ).
    2. If you select the subject alternate name
      Other Name
      , then in the
      OID
      field, type an object identifier (OID).
      The OID indicates the format and semantics of the subject alternate name.
  15. For the
    Fallback to Local
    setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  16. From the
    Role
    list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  17. From the
    Partition Access
    list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  18. From the
    Terminal Access
    list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Disabled
    Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh
    Choose this option when you want the remotely-stored user accounts to have only
    tmsh
    access to the BIG-IP system.
  19. Click
    Finished
    .
You can now authenticate administrative user accounts that are stored on a remote LDAP or Active Directory server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Specifying client certificate LDAP server information

Verify that the required user accounts for the BIG-IP system exist on the remote authentication server.
For authenticating BIG-IP system user accounts (that is, traffic that passes through the management interface [MGMT]), you can configure the BIG-IP system to authenticate certificates issued by a certificate authority's Online Certificate Status Protocol (OCSP) responder.
The values you specify in this procedure for the
Role
,
Partition Access
, and
Terminal Access
settings do not apply to group-based authorization. These values represent the default values or locally configured user accounts (which override the default role) that the BIG-IP system applies to any user account that is not part of a remote role group.
  1. On the Main tab, click
    System
    Users
    Authentication
    .
  2. On the menu bar, click
    Authentication
    .
  3. Click
    Change
    .
  4. From the
    User Directory
    list, select
    Remote - ClientCert LDAP
    .
  5. In the
    Host
    field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain
    0
    .
  6. For the
    Port
    setting, retain the default port number (
    389
    ) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  7. In the
    Remote Directory Tree
    field, type the file location (tree) of the user authentication database on the client certificate server.
    At minimum, you must specify a domain component (that is,
    dc=[value]
    ).
  8. For the
    Scope
    setting, retain the default value (
    Sub
    ) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  9. For the
    Bind
    setting, specify a user ID login for the remote server:
    1. In the
      DN
      field, type the distinguished name for the remote user ID.
    2. In the
      Password
      field, type the password for the remote user ID.
    3. In the
      Confirm
      field, re-type the password that you typed in the
      Password
      field.
  10. To enable SSL-based authentication, from the
    SSL
    list select
    Enabled
    and, if necessary, configure these settings:
    1. From the
      SSL CA Certificate
      list, select the name of a chain certificate; that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the
      SSL Client Key
      list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the
      SSL Client Certificate
      list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  11. In the
    CA Certificate
    field, type the absolute folder path of
    apache-ssl-cert fileobject
    for the CA signing authority.
    The absolute folder path is
    /Common/<folder path>/<certificate name>
    . To determine the absolute folder path of the
    apache-ssl-cert fileobject
    , click
    System
    File Management
    Apache Certificate List
    and note the target certificate's partition and path.
    Apache certificates can only be stored within
    /Common
    .
  12. In the
    Login Name
    field, type an LDAP search prefix that will contain the distinguished name (DN) from the user certificate, such as
    CN
    .
    This specifies the LDAP attribute to be used as a login name. The default is disabled.
  13. In the
    Login LDAP Attribute
    field, type the account name for the LDAP server.
    The value for this option is normally the user ID. However, if the server is a Microsoft Windows Active Directoryserver, the value must be the account name
    sAMAccountName
    (case-sensitive). The default value is none.
  14. In the
    Login Filter
    field, type the LDAP attribute that contains the short name of the user.
    This specifies the filter to be applied on the common name (CN) of the client certificate and usually this is the user ID or
    sAMAccountName
    . The filter is a regular expression used to extract required information from the CN of the client certificate that is matched against the LDAP search results. The default is disabled.
  15. For the
    Depth
    setting, retain the default value (
    10
    ) or type a new value for verification depth.
  16. From the
    Client Certificate Name Field
    list:
    1. Select either a subject alternate name or the subject name (
      Common Name
      ).
    2. If you select the subject alternate name
      Other Name
      , then in the
      OID
      field, type an object identifier (OID).
      The OID indicates the format and semantics of the subject alternate name.
  17. From the
    OCSP Override
    list, select
    On
    or
    Off
    to specify whether the system uses a specified OCSP responder to override the CA certificate to authenticate/authorize logon operations.
  18. If the
    OCSP Override
    is set to
    On
    , then in the
    OCSP Responder
    field, retain the default value or type the server name or URL that authenticates/authorizes logon operations.
    The default value is
    localhost.localdomain
    .
  19. From the
    Role
    list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  20. From the
    Partition Access
    list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  21. From the
    Terminal Access
    list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Disabled
    Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh
    Choose this option when you want the remotely-stored user accounts to have only
    tmsh
    access to the BIG-IP system.
  22. Click
    Finished
    .
You can now authenticate administrative traffic for user accounts that are stored on a remote client certificate server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying RADIUS server information

Before you begin:
  • Verify that the BIG-IP system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
The values you specify in this procedure for the
Role
,
Partition Access
, and
Terminal Access
settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a role group that is defined on the remote authentication server. Also, for the
Other External Users
user account, you can modify the
Role
,
Partition Access
, and
Terminal Access
settings only when your current partition on the BIG-IP system is set to
Common
. If you attempt to modify these settings when your current partition is other than
Common
, the system displays an error message.
  1. On the Main tab, click
    System
    Users
    Authentication
    .
  2. On the menu bar, click
    Authentication
    .
  3. Click
    Change
    .
  4. From the
    User Directory
    list, select
    Remote - RADIUS
    .
  5. For the
    Primary
    setting:
    1. In the
      Host
      field, type the name of the primary RADIUS server.
      The route domain with which this host is associated must be route domain
      0
      .
    2. In the
      Secret
      field, type the password for access to the primary RADIUS server.
    3. In the
      Confirm
      field, re-type the RADIUS secret.
  6. If you set the
    Server Configuration
    setting to
    Primary and Secondary
    , then for the
    Secondary
    setting:
    1. In the
      Host
      field, type the name of the secondary RADIUS server.
      The route domain with which this host is associated must be route domain
      0
      .
    2. In the
      Secret
      field, type the password for access to the secondary RADIUS server.
    3. In the
      Confirm
      field, re-type the RADIUS secret.
  7. For the
    Fallback to Local
    setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  8. From the
    Role
    list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  9. From the
    Partition Access
    list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  10. From the
    Terminal Access
    list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Disabled
    Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh
    Choose this option when you want the remotely-stored user accounts to have only
    tmsh
    access to the BIG-IP system.
  11. Click
    Finished
    .
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote RADIUS server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Specifying TACACS+ server information

Before you begin:
  • Verify that the BIG-IP system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
The values you specify in this procedure for the
Role
,
Partition Access
, and
Terminal Access
settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the
Other External Users
user account, you can modify the
Role
,
Partition Access
, and
Terminal Access
settings only when your current partition on the BIG-IP system is set to
Common
. If you attempt to modify these settings when your current partition is other than
Common
, the system displays an error message.
  1. On the Main tab, click
    System
    Users
    Authentication
    .
  2. On the menu bar, click
    Authentication
    .
  3. Click
    Change
    .
  4. From the
    User Directory
    list, select
    Remote - TACACS+
    .
  5. For the
    Fallback to Local
    setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  6. For the
    Servers
    setting, type an IP address for the remote TACACS+ server.
    The route domain to which this address pertains must be route domain
    0
    .
  7. Click
    Add
    .
    The IP address for the remote TACACS+ server appears in the
    Servers
    list.
  8. In the
    Secret
    field, type the password for access to the TACACS+ server.
    Do not include the symbol
    #
    in the secret. Doing so causes authentication of local user accounts (such as
    root
    and
    admin
    ) to fail.
  9. In the
    Confirm Secret
    field, re-type the TACACS+ secret.
  10. From the
    Encryption
    list, select an encryption option:
    Enabled
    Specifies that the system encrypts the TACACS+ packets.
    Disabled
    Specifies that the system sends unencrypted TACACS+ packets.
  11. In the
    Service Name
    field, type the name of the service that the user is requesting to be authenticated to use (usually
    ppp
    ).
    Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are:
    ppp
    ,
    slip
    ,
    arap
    ,
    shell
    ,
    tty-daemon
    ,
    connection
    ,
    system
    , and
    firewall
    .
  12. In the
    Protocol Name
    field, type the name of the protocol associated with the value specified in the
    Service Name
    field.
    This value is usually
    ip
    . Examples of protocol names that you can specify are:
    ip
    ,
    lcp
    ,
    ipx
    ,
    atalk
    ,
    vines
    ,
    lat
    ,
    xremote
    ,
    tn3270
    ,
    telnet
    ,
    rlogin
    ,
    pad
    ,
    vpdn
    ,
    ftp
    ,
    http
    ,
    deccp
    ,
    osicp
    , and
    unknown
    .
  13. From the
    Role
    list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  14. From the
    Partition Access
    list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  15. From the
    Terminal Access
    list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Disabled
    Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh
    Choose this option when you want the remotely-stored user accounts to have only
    tmsh
    access to the BIG-IP system.
  16. Click
    Finished
    .
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote TACACS+ server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Changing the default access control for remote accounts

You perform this task to change the user role, partition access, and terminal access that you want the BIG-IP system to assign by default to all remote users that are members of the user account
Other External Users
.
  1. On the Main tab, click
    System
    Users
    Authentication
    .
  2. Click
    Change
    .
  3. From the
    User Directory
    list, select
    Remote - Active Directory
    ,
    Remote - LDAP
    ,
    Remote - RADIUS
    , or
    Remote - TACACS+
    .
  4. From the
    Role
    list, select a user role.
    The BIG-IP system assigns this user role to any remote account that is not part of a remote user group to which you have explicitly assigned a user role.
  5. From the
    Partition Access
    list, select a partition name.
    All remote user accounts that are members of the BIG-IP account
    Other External Users
    can have access to either all partitions or the same individual partition. Individual members of this account cannot have access to different partitions.
  6. From the
    Terminal Access
    list, select
    Enabled
    or
    Disabled
    .
  7. Click
    Update
    .
After you perform this task, most BIG-IP user accounts stored on a remote authentication server have the specified user role, as well as partition and console access. Remote accounts that are part of a role group are not subject to these authentication settings.

About remote user groups

On the BIG-IP system, you can assign access control properties (user role, partition, and terminal access) to any group of BIG-IP user accounts defined on a remote authentication server. You can assign these properties by using either the BIG-IP configuration utility or the Traffic Management Shell (
tmsh
) to specify the appropriate remote attribute string and line-order for each group of BIG-IP users, along with the access control values you want to assign to the group.
You can configure access control for remote groups of BIG-IP user accounts in these ways:
  • By specifying on the BIG-IP system the relevant attribute string and the role, partition access, and terminal access that you want to assign to the group.
  • By specifying on the BIG-IP system the relevant attribute string and then using variable substitution (
    tmsh
    only).
Note that access control for these group-based user accounts is separate from the access control assigned to accounts represented by the BIG-IP user account named
Other External Users
.

Configuration examples

Because some types of remote servers allow a user to be a member of multiple user groups, configuration of user roles and partitions for BIG-IP ®user groups on those servers can result in conflicts. For example, two separate remote user groups might specify different roles on the same administrative partition. For a user that is a member of both groups, this configuration breaks the BIG-IP rule that a user cannot have two roles for any one partition.
In the case of such conflicts, the BIG-IP system must choose one of the conflicting roles for the user at login time. The primary way that the BIG-IP system makes this choice is by using line order. The line order that you specify within each remote role configuration affects how the system ultimately resolves any conflicts.
By contrast, within a single remote user group, no conflicts occur because the BIG-IP system prevents administrators from assigning more than role to the same partition.

Example 1: Conflicting role-partition entries within a group

The following example shows that two user roles Guest and Certificate Manager are associated with the same partition,
A
, for the same remote user group,
BigIPAdminGroup
.
This configuration is invalid because no one user can have more than one role for a specific partition. If an administrative user attempts to implement this configuration, the BIG-IP system disallows the configuration and displays an error message.
BigIPAdminGroup attribute memberOF=CN=
BigIPAdminGroup
,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role guest user-partition A attribute memberOF=CN=
BigIPAdminGroup
,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role manager user-partition B attribute memberOF=CN=
BigIPAdminGroup
,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role certificate manager user-partition A

Example 2: Conflicting role-partition entries in multiple groups

In the following example, the remote server contains two BIG-IP user groups
BigIPNetworkGroup
and
BigIPAdminGroup
, and the BIG-IP system has three partitions,
A
,
B
, and
C
.
Suppose that user
jsmith
is a member of both groups. The configuration below shows that on login to the BIG-IP system, user
jsmith
will clearly be assigned the role of Operator for partition
B
, and Manager for partition
C
. But for partition
A
, there is a conflict, because a user can have only one role per partition on the system, and this configuration attempts to assign the roles of both Manager and Guest for that partition.
To resolve the conflict, the BIG-IP system uses line order to determine which of the conflicting roles to assign to
jsmith
for partition
A
. In this case, the system will choose Manager, the role with the lowest line-order number (20).
BigIPNetworkGroup attribute memberOF=CN=
BigIPNetworkGroup
,OU=BIP,DC=dean,DC=local console tmsh line-order 20 role manager user-partition A attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 10 role operator user-partition B attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 40 role manager user-partition C BigIPAdminGroup attribute memberOF=CN=
BigIPAdminGroup
,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role guest
user-partition A

Example 3: Conflicting role-partition entries due to universal access

In the following example, suppose that user
jsmith
is a member of three remote user groups:
BigIPGuestGroup
,
BigIPOperatorGroup
, and
BigipAdminGroup
, and the BIG-IP system has three partitions,
A
,
B
, and
C
.
In this configuration, the role specified for
BigIPAdminGroup
creates a conflict, because some entries specify a particular role for each partition, while
BigIPAdminGroup
specifies a role of Administrator for all three partitions. To resolve the conflict, the BIG-IP system uses the configured line order.
Because the line order for
BigIPAdminGroup
is 9 and therefore not the lowest line-order number, the BIG-IP system will ignore the role of Administrator for
jsmith
, leaving her with a role of Guest on partitions
A
and
C
, and Operator on partition
B
.
BigIPGuestGroup attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 2 role guest user-partition A BigIPOperatorGroup attribute memberOF=CN=BigIPOperatorGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 10 role operator user-partition B BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 9 role administrator user-partition All BigIPGuestGroup attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 3 role guest user-partition C

Configuring access control for remote user groups

You perform this task to assign a user role, a corresponding administrative partition, and a type of terminal access to a remotely-stored group of user accounts. For a given user group, you can assign as many role-partition combinations as you need, as long as each role is associated with a different partition. If the partition you associate with a role is
All
, this entry might or might not take effect, depending on whether the
All
designation conflicts with other role-partition combinations for that user group. For any conflicts, line order in the configuration is a consideration. To assign multiple role-partition combinations for a user group, you repeat this task for each combination, specifying the same attribute string for each task.
  1. On the Main tab, click
    System
    Users
    .
  2. On the menu bar, click
    Remote Role Groups
    .
  3. Click
    Create
    .
  4. In the
    Group Name
    field, type the group name that is defined on the remote authentication server.
    An example of a group name is
    BigIPOperatorsGroup
    .
  5. In the
    Line Order
    field, type a number.
    This value specifies the order of this access control configuration in the file
    /config/bigip/auth/remoterole
    for the named group. The LDAP and Active Directory servers read this file line by line. The order of the information is important; therefore, F5 Networks recommends that you specify a value of
    1000
    for the first line number. This allows you, in the future, to insert lines before the first line.
  6. In the
    Attribute String
    field, type an attribute.
    An example of an attribute string is
    memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net
    .
    The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts (excluding any user account for which access control settings are individually configured).
  7. From the
    Remote Access
    list, select a value.
    Enabled
    Choose this value if you want to enable remote access for the defined user group.
    Disabled
    Choose this value if you want to disable remote access for the defined user group. Note that if you configure multiple instances of this remote role group (one instance for each role-partition pair for the attribute string), then choosing a value of
    Disabled
    disables remote access for all user group members, regardless of the remote role group instance.
  8. From the
    Assigned Role
    list, select a user role for the remote user group.
  9. From the
    Partition Access
    list, select an administrative partition value.
    All
    Choose this value to give users in the defined group access to their authorized objects in all partitions on the BIG-IP system.
    partition_name
    Choose a specific partition name to give users in the defined group access to that partition only.
    Common
    Choose this value to give users in the defined group access to partition
    Common
    only.
  10. From the
    Terminal Access
    list, select the type of command-line access you want to grant users in the group, if any.
  11. Click
    Finished
    or
    Repeat
    .
After you perform this task, the user group that you specified has the assigned role, partition access, and terminal access properties assigned to it.

About variable substitution

As an alternative to using the BIG-IP Configuration utility to specify explicit values for access control properties for remote user groups, you can configure the remote server to return a vendor-specific attribute with variables for role, partition access, and console access. You can then assign values to those variables (numeric or alphabetic), and you can use the
tmsh remoterole
command to perform variable substitution for those access control properties.
For example, suppose that you configure a remote RADIUS authentication server to return the vendor-specific attribute
F5-LTM-User-Info-1
=
DC1
, along with three variables and their values:
  • F5-LTM-User-Role
    =
    400
    (variable)
  • F5-LTM-User-Partition
    =
    App_C
    (variable)
  • F5-LTM-User-Console
    =
    1
    (variable)
A user role value of
400
signifies the
Operator
user role.
The
remoterole
command can use the attribute
F5-LTM-User-Info-1
on which to match. The command can then read the role, user partition, and console values from the three variables, rather than you specifying them explicitly. To do this, you specify each of the three variables on the command line, preceded by the string
%
, as arguments.
The following shows a sample use of the
remoterole
command. This sample command matches on the vendor-specific attribute
F5-LTM-User-Info-1
and then, using the above variables, assigns a user role of (
Operator
(
400
)), access to partition
App_C
, and
tmsh
access
1
) to any user accounts that are part of Datacenter 1 (DC1):
tmsh auth remote-role role-info add { DC1 { attribute "F5-LTM-User-Info-1=DC1" console "%F5-LTM-User-Console" role "%F5-LTM-User-Role" user partition "%F5-LTM-User-Partition" line order 1 } }

Values for remote role variables

This table lists the values for the BIG-IP variable
F5-LTM-User-Role
that you use for defining a role for a remotely-stored user group. For example, a value of
100
to the variable
F5-LTM-User-Role
indicates the Manager user role.
User Role
Value
Administrator
0
Resource-Admin
20
User-Manager
40
Auditor
80
Log Manager
90
Manager
100
App-Editor
300
Operator
400
Firewall Manager
450
Fraud Protection Manager
480
Certificate-Manager
500
Certificate-Manager
510
Guest
700
Application-Security-Admin
800
Application-Security-Editor
810
Application-Policy-Editor
850
No-Access
900

About terminal access for remote user groups

If you use the Traffic Management Shell (
tmsh
)
remoterole
command to configure console access for a user account within a remote user group, the BIG-IP system behavior differs depending on the value of the
console
option:
  • If an attribute string for a remote user group has one or more role-partition pairs assigned to that attribute, and you set the value of the
    console
    option to
    tmsh
    , then on successful authentication the BIG-IP system grants all users in that user group
    tmsh
    access to the BIG-IP system.
  • If you set the value of the
    console
    option to
    disable
    (or you do not configure the
    console
    option) for all role-partition combinations assigned to the same attribute string, then the BIG-IP system denies all users in that user group
    tmsh
    access to the BIG-IP system, even on successful authentication. Note that this does not affect user access to the BIG-IP Configuration utility.

Saving access control settings to a file

You can save the running configuration of the system, including all settings for remote user authentication and authorization, in a flat, text file with a specified name and the extension
.scf
.
  1. On the BIG-IP system, access a command-line prompt.
  2. At the prompt, open the Traffic Management Shell by typing the command
    tmsh
    .
  3. Type
    sys save
    filename
    .
    sys save myConfiguration053107
    creates the file
    myConfiguration053107.scf
    in the
    var/local/scf
    directory.
    sys save /config/myConfiguration
    creates the file
    myConfiguration.scf
    in the
    /config
    directory.
You can now import this file onto other BIG-IP devices on the network.

Importing BIG-IP configuration data onto other BIG-IP systems

You can use the
tmsh
sys load
command to import a single configuration file (SCF), including access control data, onto other BIG-IP devices on the network.
This task is optional.
  1. On the BIG-IP system on which you created the SCF, access a command-line prompt.
  2. Copy the SCF that you previously created to a location on your network that you can access from the system that you want to configure.
  3. Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure:
    1. Open the SCF in an editor.
    2. Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system.
    3. If necessary, change the passwords for the
      root
      and
      admin
      accounts using the command
      user
      name
      password none newpassword
      password
      .
      When configuring a unit that is part of a redundant system configuration and that is using the SCF from the peer unit, do not modify the
      root
      and
      admin
      accounts. These accounts must be identical on both units of the redundant system.
    4. Save the edited SCF.
  4. On the BIG-IP system that you want to configure, open the Traffic Management Shell by typing the command
    tmsh
    .
  5. Type
    sys load
    scf_filename
    .
    sys load myConfiguration053107.scf
    saves a backup of the running configuration in the
    /var/local/scf
    directory, and then resets the running configuration with the configuration contained in the SCF you are loading.

About viewing remote user accounts

Using the BIG-IP Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the user account list.
Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.

Displaying a list of remote user accounts

You perform this task to display a list of remotely-stored user accounts.
  1. On the Main tab, click
    System
    Users
    .
  2. On the menu bar, click
    Authentication
    .
  3. Verify that the
    User Directory
    setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click
    User List
    .
  5. View the list of user accounts. Remote user accounts that are assigned the default user role appear as
    Other External Users
    .

Viewing access control properties

  1. On the Main tab, click
    System
    Users
    .
  2. On the menu bar, click
    Authentication
    .
  3. Verify that the
    User Directory
    setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click
    User List
    .
  5. View the list of user accounts. Remote user accounts that are assigned the default user role appear as
    Other External Users
    .
  6. In the user account list, find the user account you want to view and click the account name. This displays the properties of that user account.