Manual Chapter : User Management

Applies To:

Show Versions

F5OS-C

1.3.2, 1.3.1, 1.3.0

User Management

User management overview

You can manage the

VELOS

system

at all levels

from the CLI, the webUI, or using REST APIs.

Each of these levels is distinct from one another requiring separate user names and passwords.

The

VELOS

system has

three

levels of user management:

System controller level (chassis): At the system controller level, after basic configuration is complete, the system includes default root (Bash access only) and admin accounts to log in to. The system controller administrator uses the admin account and changes the default passwords when logging in the first time. At that point, the admin user can also create additional accounts for other users, such as other system controller administrators or operators. The system controller administrator also creates the chassis partitions, terminal server administrators, or operators.
Chassis partition level: At the chassis partition level, the chassis partition administrator logs into the chassis partition previously created by the system controller administrator. The chassis partition provides a default admin account, and a chassis partition root account is included for accessing the console of the blades that are part of the chassis partition. The chassis partition administrator uses the admin account to manage the chassis partition, adding users, such as additional partition administrators, operators, and tenant console operators.
Tenant level: Since the tenants are independent of the rest of the
VELOS
system, the users and user management are not covered in this guide. For more information, see the tenant documentation (such as BIG-IP software documentation at support.f5.com).

User roles overview

Management of a

VELOS

system can be viewed in terms of different user roles, performing different sets of administrative actions at conceptually different levels.

VELOS

systems, users with admin access can make configuration changes at the level in which they are working (either the system controller level or the chassis partition level).

System controller administrators: Have broader ability and can create chassis partitions, configure management interfaces, install system controller level software, modify system settings, activate licensing, set up high availability for the two system controllers, and perform user management for the system controllers.
Chassis partition administrators: Can access only the chassis partition to which they have been assigned. They can configure network settings, port groups, interfaces, VLANs, LAGs, partition log settings, tenant deployments, system settings, and perform user management for those chassis partitions.
Operator users: Have read-only access to every screen and every configuration object at the level in which they are working
(either the system controller level or the chassis partition level)
. If an operator tries to modify any setting, however, the system displays a warning that explains that their role is unauthorized to make the configuration change.

System controller-level user roles

This table lists user roles at the system controller level.

Role	Description
admin	Used by the system controller administrator. Provides access to the system controller CLI or system controller webUI to configure the system at the system controller level (unrestricted read/write access). Can unlock any system controller users. Logs in to the active system controller or floating IP address. No Bash access. The default login credentials are admin/admin. When logging in as admin for the first time, the system prompts you to change the password. This also changes the default password for the root account to match that of the admin account.
operator	Used for the system controller operator. Allows read access to system controller level configuration from the system controller CLI or system controller webUI; write access to change password only. Logs in to the active system controller or floating-point management IP address. No Bash access.
partition_n (1-8)	Created at the system controller CLI. The system controller administrator can create one partition console role per partition, where n refers to the chassis partition ID. When a user with the chassis partition_n role logs in on a specific blade port, they are presented with the blade console through the terminal server. This is for troubleshooting and debugging the system.
root	Created by the system. Used by the system controller administrator. Provides Bash shell access to the entire system including all components including the blades. The system controller root account can be accessed from any system controller IP address, and from the system controller console. The root password can be changed using the passwd command, or by an admin user from the CLI. On first login, you are forced to change the password. If you change the root user password and the admin password is ‘admin’ at that time, the admin user will have the same new password. F5 recommends disabling the root account using appliance mode in production to reduce the attack surface of the system and protect it from any vulnerabilities.

Chassis partition-level user roles

This table lists user roles at the chassis partition level.

Chassis partition level user roles
Role	Description
admin	Used for the chassis partition administrator. Provides access to the chassis partition CLI or chassis partition webUI to configure the system at the chassis partition level with unrestricted read/write access. Can unlock operator users. Logs in to the chassis partition management IP address. No Bash access. The default login credentials are admin/admin. When logging in as admin for the first time, the system prompts you to change the password. This also changes the default password for the root account to match that of the admin account.
operator	Used for the chassis partition operator. Provides read access to the chassis partition configuration from the chassis partition CLI or chassis partition webUI; write access to change their password only. Logs in to the chassis partition management IP address. No Bash access.
tenant console	Has virtual console access to tenants from the chassis partition CLI. Tenant console access is authenticated by tenant root credentials. No read access to any part of the chassis partition
partition root	Has Bash access to blades that are part of the chassis partition. Provided on the system. Log in to the console on a blade. Should be used only in rare cases when troubleshooting the system. The root password can be changed using the passwd command or by an admin user from the CLI. On first login, you are forced to change the password. If you change the root password and the admin password is ‘admin’ at that time, admin will have the same new password. F5 recommends disabling the root account and using appliance mode in production to reduce the attack surface of the system and protect it from any vulnerabilities.

Group IDs and system authentication roles

You can configure the system to use these authentication methods to authenticate users:

External LDAP Server (includes Active Directory)

External RADIUS Server

External TACACS+ Server

Local (local UNIX authentication)

Each user role is internally mapped to a group ID. Users created and managed on external LDAP, Active Directory, RADIUS, or TACACS+ servers must have the same group IDs on the external servers as they do on

VELOS

systems to enable authentication and authorization to occur on

VELOS

systems. Users created on external LDAP, Active Directory, RADIUS, or TACACS+ servers must be associated with one of these group IDs on the system.

You can only use existing roles and cannot create new roles.

The group IDs are specified in a user configuration file on the external server (file locations vary on different servers). You can assign these F5 user attributes:

F5-F5OS-UID=1001
F5-F5OS-GID=9000   <-- THIS MUST MATCH /etc/group items   
F5-F5OS-HOMEDIR=/tmp  <-- Optional; prevents sshd warning msgs 
F5-F5OS-USERINFO=test_user  <-- Optional user info 
F5-F5OS-SHELL=/bin/bash    <--  Ignored; always set to /var/lib/controller/f5_confd_cli

Setting

F5-F5OS-HOMEDIR=/tmp

is a good idea to avoid warning messages from sshd that the directory does not exist. Also, the source address in the TACACS+ configuration is not used by the

VELOS

system.

If F5-F5OS-UID is not set, it defaults to 1001. If F5-F5OS-GID is not set, it defaults to 0 (disallowed for authentication). The F5-F5OS-USERINFO is a comment field. Essentially, F5-F5OS-GID is the only hard requirement and must coincide with group ID's user role (except for the root role where the GID is 0).

Group IDs for system controller roles

This table lists group IDs for system controller roles.

Role	Group ID
admin	9000
operator	9001
partition_1	9101
partition_2	9102
partition_3	9103
partition_4	9104
partition_5	9105
partition_6	9106
partition_7	9107
partition_8	9108
root	0
ts_admin	9100
user	9002 (internal F5 use only)

Group IDs for chassis partition roles

This table lists group IDs for chassis partition roles.

Group IDs for Chassis Partition Roles
Role	VELOS Group ID
admin	9000
limited	9999
operator	9001
root	0
ts_admin	9100

Group ID configuration examples

RADIUS server

The user configuration file is often named

/etc/raddb/users

. This is an example of an entry for an administrator with admin privileges:

radius_user Cleartext-Password := test
        F5-F5OS-UID := 1001,
        F5-F5OS-GID := 9000,
        F5-F5OS-HOMEDIR := "/tmp",
        F5-F5OS-SHELL := "/var/lib/controller/f5_confd_cli"

TACACS+ server

For example, on a TACACS+ server, the user configuration file is typically named

/etc/tac_plus.conf

. This is an example of an entry for an administrator with admin privileges:

group = admin {
    service = ppp
    protocol = ip
    {
        default attribute=permit
        F5-F5OS-UID=1001
        F5-F5OS-GID=9000
        F5-F5OS-HOMEDIR=/tmp
        F5-F5OS-USERINFO=test_user
    }
}

user = test_tacacs_user {
	global = cleartext "test-tacplus"
	member = admin
}

Display user roles for system controllers from the CLI

You can display the administrator roles with their associated group IDs from the system controller CLI using an account with admin or operator access.

When you log in to the system, you are in user (operational) mode.

Display user roles for the system controllers.

show system aaa authentication roles

A summary similar to this example displays:

syscon-1-active# show system aaa authentication roles
ROLENAME     GID   USERS
--------------------------
admin        9000  -
operator     9001  -
partition_1  9101  -
partition_2  9102  -
partition_3  9103  -
partition_4  9104  -
partition_5  9105  -
partition_6  9106  -
partition_7  9107  -
partition_8  9108  -
root         0     -
ts_admin     9100  -
user         9002  -

Display user roles for chassis partitions from the CLI

You can display the administrator roles with their associated group IDs from the chassis partition CLI using an account with admin or operator access.

When you log in to the system, you are in user (operational) mode.

Display user roles for the chassis partition.

show system aaa authentication roles

A summary similar to this example displays:

default-1# show system aaa authentication roles
ROLENAME     ROLENAME     GID   USERS
---------------------------------------
admin        admin        9000  -
limited      limited      9999  -
operator     operator     9001  -
root         root         0     -
tenant-console     tenant-console     9100  -

RADIUS configuration overview

You can configure the

VELOS

system to use a RADIUS server for authenticating

VELOS

system user accounts.

Before you begin:

Verify that the RADIUS service is set up on a server that is accessible to the

VELOS

system. The default port for RADIUS service is 1812. If the service is configured with a different port, make note of it, as you will need it during the configuration.

Add F5OS vendor-specific attributes (VSA) to the F5 vendor-specific RADIUS dictionary file on the RADIUS server.

Assign users to valid system group IDs on the external RADIUS server. See the

Group IDs and system authentication roles

section for more information.

RADIUS dictionary

When configuring remote RADIUS authentication for the

system, you add these F5OS vendor-specific attributes (VSA) to the F5 vendor-specific RADIUS dictionary file on the RADIUS server.

ATTRIBUTE       F5-F5OS-UID                    21       integer
ATTRIBUTE       F5-F5OS-GID                    22       integer
ATTRIBUTE       F5-F5OS-HOMEDIR                23       string
ATTRIBUTE       F5-F5OS-SHELL                  24       string
ATTRIBUTE       F5-F5OS-USERINFO               25       string

Configure RADIUS authentication from the CLI

You can configure the system for RADIUS authentication from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Set the authentication method to RADIUS.

system aaa authentication config authentication-method RADIUS_ALL

Commit the configuration changes.

commit

Add the RADIUS service details to the authentication server groups:

Create the server group.

system aaa server-groups server-group radius-group config name radius-group type RADIUS

Add the server and IP address for the RADIUS service.

servers server <ip-address> config address <ip-address>

Customize the RADIUS configuration details.

radius config auth-port <port-number> secret-key secret timeout <timeout-in-seconds>

Commit the configuration changes.

commit

RADIUS authentication for users is configured on the system controllers or chassis partition in which you are working.

Create a RADIUS server group from the CLI

If you have multiple RADIUS servers to which you want to connect, you can create a RADIUS server group from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Create the server group.

system aaa server-groups server-group <group-name> config name <group-name> type RADIUS

This example creates a RADIUS server group named radius-group:

syscon-1-active(config)# system aaa server-groups server-group radius-group 
  config name radius-group type RADIUS

Commit the configuration changes.

commit

Add the server and IP address of the RADIUS service.

servers server <ip-address> config address <ip-address>

Commit the configuration changes.

commit

LDAP/AD configuration overview

You can configure the

VELOS

system to use an LDAP or Microsoft Windows Active Directory (AD) server for authenticating

VELOS

system user accounts.

Before you begin:

Verify that the LDAP service is set up on a server that is accessible to the

VELOS

system. The default port for the LDAP service is 389 for unsecure protocol (LDAP) or 636 for secure protocol (LDAPS). If the service is configured with a different port, make note of it, as you will need that port number during configuration.

Import one or more LDAP certificates if you want to verify the certificate of the authentication server.

Assign users to valid system group IDs on the external LDAP or Active Directory servers. For more information, see the

Group IDs and system authentication roles

section.

Configure LDAP/Active Directory authentication from the CLI

You can configure VELOS for LDAP/Active Directory authentication from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Set the authentication method to LDAP.

system aaa authentication config authentication-method LDAP_ALL

Commit the configuration changes.

commit

Set the LDAP or Active Directory configuration details.

system aaa authentication ldap

active_directory

base

bind_timelimit

binddn

bindpw

idle_timelimit

ldap_version

ssl

timelimit

tls_cacert

tls_cert

tls_ciphers

tls_key

tls_reqcert

This example specifies a search base distinguished name for LDAP authentication:

syscon-1-active(config)# system aaa authentication ldap base dc=example,dc=local

This example enables Active Directory authentication, by setting the

active_directory

option to true:

syscon-1-active(config)# system aaa authentication config authentication-method LDAP 
  all system aaa authentication ldap active_directory true

For the system to recognize an Active Directory user, the user's uidNumber attribute must be set to a valid value, and also the gidNumber for important groups must be set to a valid value. While these attributes are typically present in a basic LDAP configuration, they are often missing from a basic AD configuration.

Add the LDAP/AD server details to the authentication server groups.

Create the server group.

system aaa server-groups server-group ldap-group config name ldap-group type LDAP

Add the server and IP address of the LDAP service.

servers server <ip-address> config address <ip-address>

Customize the LDAP configuration details.

ldap config auth-port <port-number> type ldaps

This example shows secure LDAP configuration:

syscon-1-active(config)# ldap config auth-port 636 type ldaps

Commit the configuration changes.

commit

LDAP/Active Directory authentication for users is configured on the system controllers or chassis partition in which you are working.

Create an LDAP server group from the CLI

You can create an LDAP server group (including Active Directory servers), if you have multiple external LDAP servers to which you want to connect, from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Create the server group.

system aaa server-groups server-group <group-name> config name <group-name> type LDAP

This example creates an LDAP server group named ldap-test:

syscon-1-active(config)# system aaa server-groups server-group ldap-test 
  config name ldap-test type LDAP

Commit the configuration changes.

commit

Add the host name for the LDAP service.

This host name might have to be resolved in

/etc/hosts

or by DNS.

This example adds a host name to the LDAP service:

syscon-1-active(config)# servers server ldap.company.com config 
  address ldap.company.com

Commit the configuration changes.

commit

Add LDAP certificates from the CLI

You can add the LDAP certificates and key from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Add the TLS config key:

system aaa tls config key (<AES-encrypted-string>)

A summary similar to this example displays:

syscon-1-active(config)# system aaa tls config key 
(<AES encrypted string>): 
[Multiline mode, exit with ctrl-D.]
> -----BEGIN PRIVATE KEY-----
> MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDarxbhnYlm8DoQ
> W23fxEm6qZF5+DEBinym3IAZe7V3eV/v1UmuqSMKmz3pLX5oYTZ0Fqj+mW4XdMxK
> kW93w91xYLZoOOn/P9ELt4Cu9YIoDTy3OU68EETjQarw9wd+0/JqKTRPWa+VAWGn
> hMg6N2OCY7hNc8FWFU2YD2x6MryacVCgCi20uhzde2G89pJlqGrm9KpbCN1ZV4Hc
> 4OWEnMAO/yyb8FceKQNgJ0pk9+kBosKfyYypZ8SjP9Bg4E76of5xMHBtbXNu/f3Y
> hJk/0gmMyuoTKl5d9AAUhU+gOZP6z2GTc2UfWnG0dfG6SWUGVmBtZ8u8y3nPi7Y9
> G1K5R3TzAgMBAAECggEAVamQhQB4+mHP3OhzudviJcSWv/iA+eGNwq9NXq4e/5YE
> Bqa+HjUTDOyS6+xuP+UUt5TIzjK79WRDQlKGH5wR+n+v9FOXFe2hrb1MIzz4p0fI
> KN3CAdk9oufuVkXuIbhUlVFetFalePD5l+1joapgyIrXfz+A1H+zzYT9MUD+sGBJ
> bYkTqxFgAwsJoMaPruemfzFLHeWRDh/o0fG7aA6v4AA+urIaK13bEs+U/38A6D4X
> j+Mzr2RP4bQJHBKE5vYJ0bwqfO3we21CPYpkla4APJUNGOLuZwfGhH1QREQy31rA
> sIru7KRBcxYikvfKI4oL8aUfPurcZbnaCD1bdUhlQQKBgQD3lQ4Qp53c3QGww/bQ
> s0tvJD6T86t5ve47j0V6hKHbp8Kq/zm+3jkRVNjH8nipyleQ44YJuSqPfo4EVKLC
> OYPDEEQP+2fAWmt1LUugoB/ilQHOHMJVuPUj9Hyt7wetp1EeFZqNqpgohdP9eM5/
> R8jSIuNhqIjPKTliqwOn4hLnvwKBgQDiHoE/O87/GadvmS/G6ExWFAE2j7l16y1f
> pz/cqY/p674TF/VUYsyKaLKM08iOhT6XeDACto+z7TYd5YNYAgawuxcDvDWXOZxe
> mWLpdzlQGzumeTz2Rsx3U3NnXETlGBWEjj6kAUq4oqFrRSBNGbHb4D7XVNuQPPSX
> rZ8CfNxfzQKBgG/rZ7JLs2c2WR9JVve9NWqGnetQCcI9A8bU23mpH2omii+2tKn9
> 1xpomp64k6ddmvwafmtC02SOtzBp+jGGwnOZlMsMwTgJJ+6OjVONTxykc25zPb52
> oAqi6QHPvk7YBiltZrKH3cTjypMY23BaSQQFVXi+MSpE3nYmDL8FyboNAoGAVIDp
> 9GO5nAROWpp5DHDL9m9LdMSJntPhBRpP93s22UjMo/4UJRE3N5KhB5guH3UUSy8T
> YjAvzCIeU1Xum/lF3s5Mb4zqyjUxhvjzyiRQOuuygyhT7AXRa9a4DiyhYqx5fixa
> pJgHALFmedw/khDEM1O+qGKCG4lsLzMndZqMERECgYEA5LQ128pxYmpp3lyK6a62
> 01W/1/BtuiApuEFdcqwk6MTtateS5Kpb5uA9orWISmtd7mZLcXZGTBuJEoWsHBs4
> BE/B1urijsnmFzGRwmwF9DwhhDuyLW/cAqQSWAb4IBkU0lo0MOwm80EgcLwoy/53
> zicLAzdPQOiNQEyIh5U46xg=
> -----END PRIVATE KEY-----

Add the TLS config certificate:

system aaa tls config certificate (<string>)

A summary similar to this example displays:

syscon-1-active(config)# system aaa tls config certificate 
(<string>): 
[Multiline mode, exit with ctrl-D.]
> -----BEGIN CERTIFICATE-----
> MIIESzCCAzOgAwIBAgIJALgGgs+5qgX1MA0GCSqGSIb3DQEBCwUAMIG7MQswCQYD
> VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ
> MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph
> dGlvbmFsVW5pdDEeMBwGA1UEAwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJ
> KoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0yMDEwMjMy
> MjMwNTZaFw0yMTEwMjMyMjMwNTZaMIG7MQswCQYDVQQGEwItLTESMBAGA1UECAwJ
> U29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2Fu
> aXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UE
> AwwVbG9jYWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxv
> Y2FsaG9zdC5sb2NhbGRvbWFpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
> ggEBANqvFuGdiWbwOhBbbd/ESbqpkXn4MQGKfKbcgBl7tXd5X+/VSa6pIwqbPekt
> fmhhNnQWqP6Zbhd0zEqRb3fD3XFgtmg46f8/0Qu3gK71gigNPLc5TrwQRONBqvD3
> B37T8mopNE9Zr5UBYaeEyDo3Y4JjuE1zwVYVTZgPbHoyvJpxUKAKLbS6HN17Ybz2
> kmWoaub0qlsI3VlXgdzg5YScwA7/LJvwVx4pA2AnSmT36QGiwp/JjKlnxKM/0GDg
> Tvqh/nEwcG1tc279/diEmT/SCYzK6hMqXl30ABSFT6A5k/rPYZNzZR9acbR18bpJ
> ZQZWYG1ny7zLec+Ltj0bUrlHdPMCAwEAAaNQME4wHQYDVR0OBBYEFJ8f90ExRYYD
> 0j2rQSKhMbRaKz0vMB8GA1UdIwQYMBaAFJ8f90ExRYYD0j2rQSKhMbRaKz0vMAwG
> A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACzFSIiJ01qLtl9Nom5rtFRh
> m+iH0RewmO2YV9rQTl53shma1/Wa2D5PXsFt6w0wiXRa6Gab1YVxaHkP9E4RK6us
> B5s5pR+SijP02Ijw5y4RICegkWApx86wlW09NDBgPFQdz+xQnpx8LfAFDzkAEf02
> eI4SI25Vi3fDW6qeOKeQmS5itcRFXBi/E2+FwYu3zvtMEIp7WB90f0mvxiEd1bz8
> UY0pODHlYUzc/4jl9CGWGPl+80KHsjppqwsFzZs3koe2IyKbzMKfpdQ+oIiJP17+
> IVJgNbRCO5TgGXtFW3p3CJ2fHzEPongFdvbPOTr/cE/KkGxKqcoeN7d22g7POas=
> -----END CERTIFICATE-----

Commit the configuration changes.

commit

TACACS+ configuration overview

You can configure the

VELOS

system to use a TACACS+ server for authenticating

VELOS

system user accounts.

Before you begin:

Verify that TACACS+ is set up on a server that is accessible to the

VELOS

system.

Assign users to valid system group IDs on the external TACACS+ server. For more information, see the

Group IDs for system

controller

roles

section.

Configure TACACS+ authentication from the CLI

You can configure VELOS to use TACACS+ authentication from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Set the authentication method to TACACS+.

system aaa authentication config authentication-method TACACS_ALL

Commit the configuration changes.

commit

Add the TACACS+ service details to the authentication server groups.

Create the TACACS+ server group.

system aaa server-groups server-group tacacs-group config name tacacs-group type TACACS

Add the server and IP address for the TACAS+ service.

servers server <ip-address> config address <ip-address>

Customize the TACACS+ configuration details.

tacacs config port <port-number> secret-key secret

Commit the configuration changes.

commit

TACAS+ authentication for users is configured on the system controllers or chassis partition in which you are working.

User management from the webUI

Configure local password policy from the webUI

A password policy enables you to qualify criteria for valid passwords and configure maximum password attempts for Local Authentication (

/etc/passwd

). You can configure local password policy at both the chassis and the chassis partition levels from either the system controller or chassis partition webUI.

On the left, click

USER MANAGEMENT

Authentication Settings

In the

Authentication Methods

section, check either

LDAP

RADIUS

option.

In this case,

Local (Always Enabled)

is grayed out and cannot be changed.

In the

Local Password Policy

area, for

Minimum Length

, type the minimum number of characters required for a password.

The allowed range is 6 to 255.

For

Required Characters

, type the minimum number of

Numeric

Uppercase

Lowercase

, and

Special

characters required in a valid password.

For

New/Old Password Differential

, type the number of character changes in the new password that differentiate it from the old password.

The default value is 8.

For

Disallow Username

, select one of these options:

Option	Description
True	Check whether the name of the user in forward or reversed form is contained in the password.
False	Check for username in password is not required.

When set to

True

, if any variant of the username is found in the password, the new password is rejected.

Set

Apply Password Policy to Root Account

True

to use the same password policy for the root account. The default value is

False

For

Maximum Password Retries

, type the number of times a user can try to create an acceptable password at the prompt.

The default value is 3.

For

Maximum Login Attempts

, type the allowed number of times a user can attempt to log in before the account is temporarily suspended.

The default value is 10 tries. If set to 0, there is no limit to the number of login attempts.

For

Lockout Duration

, type the amount of time in minutes that must lapse before a previously suspended user's account is unlocked.

The default auto value is 1 minute. If the value is set to 0, the administrator will have to manually unlock the user's account.

For

Max Password Age

, type the maximum number of days the password will expire after being changed.

If the last change was today and Maximum Password Age is 90, then the password will expire in 91 days. If set to 0 (the default), the password never expires.

Click

Save

You have configured the local password policy for the chassis or the chassis partition you are working in. On the same screen, you can configure the Authentication settings.

Configure authentication settings from the webUI

You must configure the type of authentication and settings to use at both the chassis level and chassis partition level.

VELOS

systems support Local Authentication, LDAP, RADIUS, Active Directory, and TACACS+ from the webUI.

On the left, click

USER MANAGEMENT

Authentication Settings

If using an external authentication server, in the Authentication Methods area, after

Enable

, select

LDAP

RADIUS

, and/or

TACACS

If specified, the LDAP, RADIUS, or TACACS server must be configured and reachable from the system.

Local authentication is always enabled, by default, so the administrator can always access the system in case of external authentication server failure.

The rest of the settings, those in the Common LDAP Configuration area, are required only if you want to use LDAP and create LDAP server groups with LDAP servers.

In the

Common LDAP Configuration

area, for

Base DN

, type the base distinguished name (name-value pairs) from which to start the search for the LDAP user (for example,

dc=example,dc=org

In the

Bind

setting, specify the information for binding the LDAP server administrative user.

For

, type the distinguished name with which to bind to the LDAP directory server for lookups (for example:

cn=admin,dc=example,dc=org

For

Password

, type the admin password for the LDAP server.

F5 recommends that the domain administrator password is set to never expire. Otherwise, if it expires, LDAP authentication will not be possible and might result in users getting locked out of the system.

For

Confirm

, retype the password.

For

Connect Timeout (seconds)

, specify the maximum amount of time, in seconds, that the system controller or the chassis partition waits before timing out when trying to reach the LDAP server.

For

Read Timeout (seconds)

, specify the maximum amount of time, in seconds, that the system controller or the chassis partition waits to receive an LDAP response before aborting the read attempt.

For

Idle Timeout (seconds)

, specify the maximum amount of time, in seconds, that an LDAP connection can be inactive before the connection is closed.

For

LDAP Version

, select the version of the LDAP protocol to use, or use the default of

If the LDAP server has Transport Layer Security (TLS) support, from the

TLS

list, select whether to use TLS to encrypt the transfer of authentication data between the LDAP server and the system.

Option	Description
On	Use TLS to secure all connections.
Off	Do not use TLS.
StartTLS	Starts a connection in unencrypted mode on a port configured for plain text and negotiates the encryption with the client. If selected, it is used rather than raw LDAP over SSL.

If set to

StartTLS

, additional TLS-related fields are enabled.

For

TLS Certificate Validation

, specify what checks to perform on a server-supplied certificate

Option	Description
Never	TLS certificate is not required.
Allow	Allow the connection. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.
Try	Request the TLS certificate. The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
Demand	Request the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
Hard	Request the certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.

For

TLS CA Certificate

, click

Show

and paste the contents of the X.509 certificate (self-signed or from a CA) for peer authentication.

For

Cipher String

, type the cipher string to specify the type of encryption to use (for example, ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-RSA-AES128-GCM-SHA256).

The cipher string can take several additional forms. It can consist of a single cipher suite such as RC4-SHA. It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example, SHA1 represents all cipher suites using the digest algorithm SHA1, and SSLv3 represents all SSLv3 algorithms.

You can combine lists of cipher suites into a single cipher string using the + character as a logical AND operation. For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.

For additional information, see the ciphers man page at www.openssl.org/docs/manpages.html.

In the

TLS Certificate

field, click

Show

and paste the text of the local certificate for client TLS authentication.

In the

TLS Key

field, click

Show

and paste the text of the private key for client TLS authentication.

For

Authenticate with Active Directory

, select

True

if you want LDAP to authenticate against an Active Directory (AD) server.

Click

Save

The authentication settings are configured at the chassis level or the chassis partition in which you are working. When a user logs in, the system attempts to authenticate them against the configured authentication methods. When the account has a match within any of the configured authentication methods, the user is authenticated and given access.

Create server groups from the webUI

You can create server groups at both the chassis level and the chassis partition level. This is because the authentication servers used on the chassis partition might differ from those used on the system controllers at the chassis level. Server groups organize servers using the same type of authentication.

On the left, click

USER MANAGEMENT

Server Groups

Click

Add

For

Name

, type a recognizable name for the server group.

For

Provider Type

, select

LDAP

RADIUS

to qualify the type of servers that will be in the group.

Click

Save & Close

You have created the server group.

Next, you can add servers to the server groups.

Add servers to server groups from the webUI

Before you add server groups, you must have previously created at least one server group.

You can add servers to the LDAP or RADIUS server group you created.

On the left, click

USER MANAGEMENT

Server Groups

Click the server group to which you want to add servers.

The Edit Server Group screen displays.

Click

Add

Add the RADIUS or LDAP server to the group.

For LDAP:

For

Server

, type the IPv4 address, IPv6 address, or Fully Qualified Domain Name (FQDN).

For

Port

, make sure the port number is correct for LDAP traffic.

The default value is

636

From the

Type

list, select

LDAP over TCP

LDAP over SSL

(secured) depending on which is supported.

Click

Save

For RADIUS:

For

Server

, type the IPv4, IPv6 address, or FQDN of the RADIUS server to add.

For

Port

, make sure the port number is correct for RADIUS traffic.

The default value is

1812

For

Secret

, type the shared secret used to access the server.

For

Timeout (seconds)

, type the number of seconds to timeout if unable to access the server.

The default value is

Click

Save

Add as many servers as needed to the RADIUS or LDAP group.

Click

Save & Close

Add users from the webUI

You can add users at both the chassis level and the chassis partition level. Default root and admin accounts are provided on the system. You can change the passwords on those accounts, but they cannot be deleted.

You can create only admin and operator users from the webUI. You can create other roles from the CLI.

On the left, click

USER MANAGEMENT

Users

Click

Add

For

Username

, type a name for the user.

For

Set Password

, type a valid password according to the local password policy defined in the Auth Settings.

For

Confirm Password

, retype the password.

From the

Role

list, select the role to assign appropriate capabilities for the user.

At the chassis level:

Option	Description
Admin	Used for the chassis administrator. Provides access to the chassis CLI or chassis webUI to configure the system at the chassis level (unrestricted read/write access). Can unlock any chassis users. Logs in to the active system controller or floating IP address.
Operator	Used for the chassis operator. Provides read access to chassis level configuration; write access to change password only. Logs in to the active system controller or floating IP address.

At the chassis partition level:

Option	Description
Admin	Used for the chassis partition administrator. Provides access to the chassis partition CLI and webUI to configure the system at the chassis partition level (unrestricted read/write access). Can unlock Operator users. Logs in to the chassis partition management IP address.
Operator	Used for the chassis partition operator. Provides read access to chassis partition configuration using the chassis partition CLI and webUI. Has write access to change password only. Logs in to the chassis partition management IP address.

Click

Save & Close

The user account is created where you are working at either the chassis level or the chassis partition. Create as many users as needed to manage the system at the chassis level and the chassis partition.

User management from the CLI

Add a user from the CLI

You can create additional users on your system from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Add a user.

system aaa authentication users user <user-name> config username <user-name> role <role> expiry-date <mm-dd-yyyy>

Where expiry-date is the date <mm-dd-yyyy> you want the account to expire. Other values for expiry-date are -1 for no expiration date (the default value), and 1 for expired.

This example creates an admin user named testuser with an account expiration date of November 20, 2025:

syscon-1-active(config)# system aaa authentication users user testuser 
  config username test role admin expiry-date 12-20-2025

These are the roles that are available:

Role	Description
admin	Has full read/write access and can make configuration changes at the level in which they are working (chassis or chassis partition).
operator	Have read-only access to every screen and every configuration object at the level in which they are working (chassis or chassis partition).
partition_`n`	Has admin access to a specific chassis partition. The chassis administrator can create one terminal server role per chassis partition, where `n` refers to the chassis partition ID. When a user with the chassis partition_`n` role logs in to a specific blade port, they are presented with the blade console through the terminal server. This is for troubleshooting and debugging the system.
ts_admin	Has admin access to the terminal server (TS). A user with this role has terminal server access to all consoles on the system regardless of chassis partition restrictions.
user	Is unprivileged and cannot do anything on system. One or more supported roles need to be assigned to make this user account useful.

Commit the configuration changes.

commit

The system creates the account with the specified role.

Disable a user from the CLI

You can disable user accounts on your VELOS system from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Disable a user.

An expiry-date of 1 disables the account immediately.

system aaa authentication users user <user-name> config expiry-date 1

This example disables a user named testuser:

syscon-1-active(config)# system aaa authentication users user testuser 
  config expiry-date 1

Commit the configuration changes.

commit

Delete a user from the CLI

You can delete a specified user from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Delete a user.

no system aaa authentication users user <user-name>

This example deletes a user named testuser:

syscon-1-active(config)# no system aaa authentication users user testuser

Commit the configuration changes.

commit

Set an admin password from the CLI

You can set an admin user's password from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Set a password for an admin user.

system aaa authentication users user <user-name> config set-password

This example sets the password for an admin user named testadmin:

syscon-1-active(config)# system aaa authentication users user testadmin 
  config set-password

The system prompts you to set a new password for the specified admin user.

Commit the configuration changes.

commit

Set maximum password age

You can globally set the maximum password age for all users from either the system controller or chassis partition CLI. To do this, you specify the number of days after which the password will expire since it was last changed. For example, if the last change was today and the maximum age is 1, the password will expire tomorrow.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Specify the number of days after which a password will expire since it was last changed.

system aaa password-policy config max-age <number-of-days>

Set the expiry-date to a future date in mm-dd-yyyy format or set the expiry-date to -1 to indicate that the account never expires.

system aaa authentication users user <user-name> config expiry-date [ -1 | <mm-dd-yyyy> ]

This example indicates that passwords expire on 12-12-2021:

syscon-1-active(config)# system aaa password-policy config max-age 12-12-2021

Commit the configuration changes.

commit

When you log in to the CLI, you receive a message that the password will expire in the specified number of days.

Change a password from the CLI

You can change the password for a specified user from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Change a specified user's password.

system aaa authentication users user <user-name> config change-password

This example changes the password for a user named testuser:

syscon-1-active(config)# system aaa authentication users user testuser 
  config change-password

The system prompts you to confirm the old password, set a new password, and confirm the new password for the specified user.

Commit the configuration changes.

commit

Modify user options from the CLI

You can modify or set options for a specified user from either the system controller or chassis partition CLI.

Log in to the command line interface (CLI) of the system controller or chassis partition using an account with admin access.

When you log in to the system, you are in user (operational) mode.

Change to config mode.

config

The CLI prompt changes to include

(config)

Change user options for a user.

system aaa authentication users user <user-name> config last-change <time> expiry-date <mm-dd-yyyy>

This example sets a last change date of zero (0) and an expiration date of January 1, 2030 for an admin user named testuser:

syscon-1-active(config)#  system aaa authentication users user testuser 
  config last-change 0 expiry-date 01-01-2030

Commit the configuration changes.

commit

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

F5OS-C

User Management

User management overview

User roles overview

System controller-level user roles

Chassis partition-level user roles

Group IDs and system authentication roles

Group IDs for system controller roles

Group IDs for chassis partition roles

Group ID configuration examples

RADIUS server

TACACS+ server

Display user roles for system controllers from the CLI

Display user roles for chassis partitions from the CLI

RADIUS configuration overview

RADIUS dictionary

Configure RADIUS authentication from the CLI

Create a RADIUS server group from the CLI

LDAP/AD configuration overview

Configure LDAP/Active Directory authentication from the CLI

Create an LDAP server group from the CLI

Add LDAP certificates from the CLI

TACACS+ configuration overview

Configure TACACS+ authentication from the CLI

User management from the webUI

Configure local password policy from the webUI

Configure authentication settings from the webUI

Create server groups from the webUI

Add servers to server groups from the webUI

Add users from the webUI

User management from the CLI

Add a user from the CLI

Disable a user from the CLI

Delete a user from the CLI

Set an admin password from the CLI

Set maximum password age

Change a password from the CLI

Modify user options from the CLI

Have a Question?

Follow Us

About F5

Education

F5 Sites

Support Tasks