Manual Chapter : User Management

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.0.1, 1.0.0
Manual Chapter

User Management

User management overview

You can manage the
rSeries
system from the CLI, the webUI, or using REST APIs.
The
rSeries
system has
two
levels of user management:
System level
At the system level, after basic configuration is complete, the system includes default root (Bash access only) and admin accounts to log in to. The system administrator uses the admin account and changes the default passwords when logging in the first time. At that point, the admin user can also create additional accounts for other users, such as other system administrators, terminal server administrators, or operators.
Tenant level
Since the tenants are independent of the rest of the
rSeries
system, the users and user management are not covered in this guide. For more information, see the tenant documentation (such as BIG-IP software documentation at support.f5.com).

User roles overview

Management of a
rSeries
system can be viewed in terms of different user roles, performing different sets of administrative actions at conceptually different levels.
Admin
Have broader ability and can configure management interfaces, install Base OS system software, modify system settings, activate licensing, perform user management, and configure network settings, port groups, interfaces, VLANs, LAGs, partition log settings, tenant deployments, and system settings.
Operator users
Have read-only access to every screen and every configuration object at the level in which they are working. If an operator tries to modify any setting, however, the system displays a warning that explains that their role is unauthorized to make the configuration change.

Group IDs and system authentication roles

You can configure the system to use these authentication methods to authenticate users:
  • External LDAP Server (includes Active Directory)
  • External RADIUS Server
  • External TACACS+ Server
  • Local (local UNIX authentication)
Each user role is internally mapped to a group ID. Users created and managed on external LDAP, Active Directory, RADIUS, or TACACS+ servers must have the same group IDs on the external servers as they do on
rSeries
systems to enable authentication and authorization to occur on
rSeries
systems. Users created on external LDAP, Active Directory, RADIUS, or TACACS+ servers must be associated with one of these group IDs on the system.
You can only use existing roles and cannot create new roles.
The group IDs are specified in a user configuration file on the external server (file locations vary on different servers). You can assign these F5 user attributes:
F5-F5OS-UID=1001 F5-F5OS-GID=9000 <-- THIS MUST MATCH /etc/group items F5-F5OS-HOMEDIR=/tmp <-- Optional; prevents sshd warning msgs F5-F5OS-USERINFO=test_user <-- Optional user info F5-F5OS-SHELL=/bin/bash <-- Ignored; always set to /var/lib/controller/f5_confd_cli
Setting
F5-F5OS-HOMEDIR=/tmp
is a good idea to avoid warning messages from sshd that the directory does not exist. Also, the source address in the TACACS+ configuration is not used by the
rSeries
system.
If F5-F5OS-UID is not set, it defaults to 1001. If F5-F5OS-GID is not set, it defaults to 0 (disallowed for authentication). The F5-F5OS-USERINFO is a comment field. Essentially, F5-F5OS-GID is the only hard requirement and must coincide with group ID's user role (except for the root role where the GID is 0).

Group IDs for system roles

This table lists group IDs for system roles.
Role
Group ID
admin
9000
operator
9001
root
0
tenant-console
9100

Group ID configuration examples

RADIUS server

The user configuration file is often named
/etc/raddb/users
. This is an example of an entry for an administrator with admin privileges:
radius_user Cleartext-Password := test F5-F5OS-UID := 1001, F5-F5OS-GID := 9000, F5-F5OS-HOMEDIR := "/tmp", F5-F5OS-SHELL := "/var/lib/controller/f5_confd_cli"

TACACS+ server

For example, on a TACACS+ server, the user configuration file is typically named
/etc/tac_plus.conf
. This is an example of an entry for an administrator with admin privileges:
group = admin { service = ppp protocol = ip { default attribute=permit F5-F5OS-UID=1001 F5-F5OS-GID=9000 F5-F5OS-HOMEDIR=/tmp F5-F5OS-USERINFO=test_user } } user = test_tacacs_user { global = cleartext "test-tacplus" member = admin }

Display user roles from the CLI

You can display the administrator roles with their associated group IDs from the CLI using an account with admin or operator access.
  1. Log in to the command line interface (CLI) of the system using an account with admin access.
    When you log in to the system, you are in user (operational) mode.
  2. Display user roles for the system.
    show system aaa authentication roles
    A summary similar to this example displays:
    appliance-1# show system aaa authentication roles ROLENAME GID USERS ----------------------------- admin 9000 - operator 9001 - root 0 - tenant-console 9100 -

RADIUS configuration overview

You can configure the
rSeries
system to use a RADIUS server for authenticating
rSeries
system user accounts.
Before you begin:
  • Verify that the RADIUS service is set up on a server that is accessible to the
    rSeries
    system. The default port for RADIUS service is 1812. If the service is configured with a different port, make note of it, as you will need it during the configuration.
  • Add F5OS vendor-specific attributes (VSA) to the F5 vendor-specific RADIUS dictionary file on the RADIUS server.
  • Assign users to valid system group IDs on the external RADIUS server. See the
    Group IDs and system authentication roles
    section for more information.

RADIUS dictionary

When configuring remote RADIUS authentication for the
F5
system, you add these F5OS vendor-specific attributes (VSA) to the F5 vendor-specific RADIUS dictionary file on the RADIUS server.
ATTRIBUTE F5-F5OS-UID 21 integer ATTRIBUTE F5-F5OS-GID 22 integer ATTRIBUTE F5-F5OS-HOMEDIR 23 string ATTRIBUTE F5-F5OS-SHELL 24 string ATTRIBUTE F5-F5OS-USERINFO 25 string

RADIUS configuration from the webUI

Configure RADIUS authentication from the webUI

You can configure the use of RADIUS authentication with
rSeries
systems from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    USER MANAGEMENT
    Auth Settings
    .
  3. To enable an external authentication server, in Authentication Methods, select
    RADIUS
    .
    The RADIUS server must be configured and reachable from the system.
    By default, local authentication is always enabled, so an administrator can access the system in case of external authentication server failure.
  4. Click
    Save
    .
  5. Create a server group:
    1. On the left, click
      USER MANAGEMENT
      Server Groups
      .
    2. Click
      Add
      .
    3. For
      Name
      , create a recognizable name for the server group.
    4. For
      Provider Type
      , select
      RADIUS
      to qualify the type of servers that will be in the group.
    5. Click
      Save & Close
      .
  6. Add servers to the server group:
    1. On the left, click
      USER MANAGEMENT
      Server Groups
      .
    2. Click the server group to which you want to add servers.
      The Edit Server Group screen displays.
    3. Click
      Add
      .
    4. For
      Server
      , type the IPv4, IPv6 address, or FQDN of the RADIUS server to add.
    5. For
      Port
      , make sure the port number is correct for RADIUS traffic.
      The default value is
      1812
      .
    6. For
      Secret
      , type the shared secret used to access the server.
    7. For
      Timeout (seconds)
      , type the number of seconds to timeout if unable to access the server.
      The default value is
      5
      .
    8. Click
      Save & Close
      .
      Add as many servers as needed to the group.
RADIUS authentication for users is configured on the system. When a user logs in, the system attempts to authenticate them against the configured authentication method. When the account has a match within any of the configured authentication methods, the user is authenticated and given access.

LDAP/AD configuration overview

You can configure the
rSeries
system to use an LDAP or Microsoft Windows Active Directory (AD) server for authenticating
rSeries
system user accounts.
Before you begin:
  • Verify that the LDAP service is set up on a server that is accessible to the
    rSeries
    system. The default port for the LDAP service is 389 for unsecure protocol (LDAP) or 636 for secure protocol (LDAPS). If the service is configured with a different port, make note of it, as you will need that port number during configuration.
  • Import one or more LDAP certificates if you want to verify the certificate of the authentication server.
  • Assign users to valid system group IDs on the external LDAP or Active Directory servers. For more information, see the
    Group IDs and system authentication roles
    section.

LDAP/AD configuration from the webUI

Configure LDAP/AD authentication from the webUI

You can configure the use of LDAP/Active Directory (AD) authentication with
rSeries
systems from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    USER MANAGEMENT
    Auth Settings
    .
  3. To enable an external authentication server, in Authentication Methods, select
    LDAP
    .
    The LDAP server must be configured and reachable from the system.
    By default, local authentication is always enabled, so an administrator can access the system in case of external authentication server failure.
  4. In the
    Common LDAP Configuration
    area, for
    Base DN
    , type the base distinguished name (name-value pairs) from which to start the search for the LDAP user (for example,
    dc=example,dc=org
    ).
    The settings in the Common LDAP Configuration area are required only if you want to use LDAP and create LDAP server groups with LDAP servers.
  5. In the
    Bind
    setting, specify the information for binding the LDAP service account.
    1. For
      DN
      , type the distinguished name with which to bind to the LDAP directory server for lookups (for example:
      cn=admin,dc=example,dc=org
      ).
    2. For
      Password
      , type the admin password for the LDAP server.
      F5 recommends that the LDAP service account password is set to never expire. Otherwise, if it expires, LDAP authentication will not be possible and might result in users getting locked out of the system.
    3. For
      Confirm
      , retype the password.
  6. For
    Connect Timeout (seconds)
    , specify the maximum amount of time, in seconds, that the system waits before timing out when trying to reach the LDAP server.
  7. For
    Read Timeout (seconds)
    , specify the maximum amount of time, in seconds, that the system waits to receive an LDAP response before aborting the read attempt.
  8. For
    Idle Timeout (seconds)
    , specify the maximum amount of time, in seconds, that an LDAP connection can be inactive before the connection is closed.
  9. For
    LDAP Version
    , select the version of the LDAP protocol to use, or use the default of
    3
    .
  10. If the LDAP server has Transport Layer Security (TLS) support, from the
    TLS
    list, select whether to use TLS to encrypt the transfer of authentication data between the LDAP server and the system.
    Option
    Description
    On
    Use TLS to secure all connections.
    Off
    Do not use TLS.
    StartTLS
    Starts a connection in unencrypted mode on a port configured for plain text and negotiates the encryption with the client. If selected, it is used rather than raw LDAP over SSL.
    If set to
    On
    or
    StartTLS
    , additional TLS-related fields are enabled.
  11. For
    TLS Certificate Validation
    , specify what checks to perform on a server-supplied certificate
    Option
    Description
    Never
    TLS certificate is not required.
    Allow
    Allow the connection. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.
    Try
    Request the TLS certificate. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
    Demand
    Request the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
    Hard
    Request the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
  12. For
    TLS CA Certificate
    , click
    Show
    and paste the contents of the X.509 certificate (self-signed or from a CA) for peer authentication.
  13. For
    Cipher String
    , type the cipher string to specify the type of encryption to use (for example, ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-RSA-AES128-GCM-SHA256).
    The cipher string can take several additional forms. It can consist of a single cipher suite such as RC4-SHA. It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms.
    You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.
    For additional information, see the ciphers man page at www.openssl.org/docs/manpages.html.
  14. In the
    TLS Certificate
    field, click
    Show
    and paste the text of the local certificate for client TLS authentication.
  15. In the
    TLS Key
    field, click
    Show
    and paste the text of the private key for client TLS authentication.
  16. For
    Authenticate with Active Directory
    , select
    True
    if you want LDAP to authenticate against an Active Directory (AD) server.
  17. Click
    Save
    .
  18. Create a server group:
    1. On the left, click
      USER MANAGEMENT
      Server Groups
      .
    2. Click
      Add
      .
    3. For
      Name
      , create a recognizable name for the server group.
    4. For
      Provider Type
      , select
      LDAP
      to qualify the type of servers that will be in the group.
    5. Click
      Save & Close
      .
  19. Add servers to the server group:
    1. For
      Server
      , type the IPv4, IPv6 address, or FQDN of the LDAP server to add.
    2. For
      Port
      , make sure the port number is correct for LDAP traffic.
      The default value is
      636
      .
    3. From the
      Type
      list, select
      LDAP over TCP
      or
      LDAP over SSL
      (secured) depending on which is supported.
    4. Click
      Save & Close
      .
      Add as many servers as needed to the group.
LDAP/AD authentication for users is configured on the system. When a user logs in, the system attempts to authenticate them against the configured authentication method. When the account has a match within any of the configured authentication methods, the user is authenticated and given access.

TACACS+ configuration overview

You can configure the
rSeries
system to use a TACACS+ server for authenticating
rSeries
system user accounts.
Before you begin:
  • Verify that TACACS+ is set up on a server that is accessible to the
    rSeries
    system.
  • Assign users to valid system group IDs on the external TACACS+ server. For more information, see the
    Group IDs for system roles
    section.

TACACS+ configuration from the webUI

Configure TACACS+ authentication from the webUI

You can configure the use of TACACS+ authentication with
rSeries
systems from the webUI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    USER MANAGEMENT
    Auth Settings
    .
  3. To enable an external authentication server, in Authentication Methods, select
    TACACS+
    .
    The TACACS+ server must be configured and reachable from the system.
    By default, local authentication is always enabled, so an administrator can access the system in case of external authentication server failure.
  4. Click
    Save
    .
  5. Create a server group:
    1. On the left, click
      USER MANAGEMENT
      Server Groups
      .
    2. Click
      Add
      .
    3. For
      Name
      , create a recognizable name for the server group.
    4. For
      Provider Type
      , select
      TACACS+
      to qualify the type of servers that will be in the group.
    5. Click
      Save & Close
      .
  6. Add servers to the server group:
    1. On the left, click
      USER MANAGEMENT
      Server Groups
      .
    2. Click the server group to which you want to add servers.
      The Edit Server Group screen displays.
    3. Click
      Add
      .
    4. For
      Server
      , type the IPv4, IPv6 address, or FQDN of the TACACS+ server to add.
    5. For
      Port
      , make sure the port number is correct for TACACS+ traffic.
      The default value is
      49
      .
    6. For
      Secret
      , type the shared secret used to access the server.
    7. Click
      Save & Close
      .
      Add as many servers as needed to the group.
TACACS+ authentication for users is configured on the system. When a user logs in, the system attempts to authenticate them against the configured authentication method. When the account has a match within any of the configured authentication methods, the user is authenticated and given access.

User management from the webUI

Configure local password policy from the webUI

A password policy enables you to qualify criteria for valid passwords and configure maximum password attempts for local authentication (
/etc/passwd
).
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    USER MANAGEMENT
    Auth Settings
    .
  3. In the
    Local Password Policy
    area, for
    Minimum Length
    , type the minimum number of characters required for a password.
    The allowed range is 6 to 255.
  4. For
    Required Characters
    , type the minimum number of
    Numeric
    ,
    Uppercase
    ,
    Lowercase
    , and
    Special
    characters required in a valid password.
  5. For
    New/Old Password Differential
    , type the number of character changes in the new password that differentiate it from the old password.
    The default value is 8.
  6. For
    Disallow Username
    , select one of these options:
    Option
    Description
    True
    Check whether the name of the user in forward or reversed form is contained in the password.
    False
    Check for username in password is not required.
    When set to
    True
    , if any variant of the username is found in the password, the new password is rejected.
  7. Set
    Apply Password Policy to Root Account
    to
    True
    to use the same password policy for the root account. The default value is
    False
    .
  8. For
    Maximum Password Retries
    , type the number of times a user can try to create an acceptable password at the prompt.
    The default value is 3.
  9. For
    Maximum Login Attempts
    , type the allowed number of times a user can attempt to log in before the account is temporarily suspended.
    The default value is 10 tries. If set to 0, there is no limit to the number of login attempts.
  10. For
    Lockout Duration
    , type the amount of time in minutes that must lapse before a previously suspended user's account is unlocked.
    The default auto value is 1 minute. If the value is set to 0, the administrator will have to manually unlock the user's account.
  11. For
    Max Password Age
    , type the maximum number of days the password will expire after being changed.
    If the last change was today and Maximum Password Age is 90, then the password will expire in 91 days. If set to 0 (the default), the password never expires.
  12. Click
    Save
    .
You have configured the local password policy. On the same screen, you can configure other authentication settings.

Add users from the webUI

You can add users to the
rSeries
system from the webUI. Default root and admin accounts are provided on the system. You can change the passwords on those accounts, but they cannot be deleted.
You can create only admin and operator users from the webUI. You can create other roles from the CLI.
  1. Log in to the webUI using an account with admin access.
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click
    Add
    .
  4. For
    Username
    , create a name for the user.
  5. For
    Set Password
    , create a valid password according to the local password policy defined in the Auth Settings.
  6. For
    Confirm Password
    , retype the password.
  7. From the
    Role
    list, select the role to assign appropriate capabilities for the user.
    Option
    Description
    Admin
    Used for the system administrator. Provides access to the CLI or webUI to configure the system (unrestricted read/write access). Can unlock any users.
    Operator
    Provides read access to system. Has write access to change password only.
  8. Click
    Save & Close
    .
Create as many users as needed to manage the system.