Manual Chapter : BIG-IP Reference Guide version 4.2: Additional Setup Options

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.2 PTF-10, 4.2 PTF-09, 4.2 PTF-08, 4.2 PTF-07, 4.2 PTF-06, 4.2 PTF-05, 4.2 PTF-04, 4.2 PTF-03, 4.2 PTF-02, 4.2 PTF-01, 4.2.0
Manual Chapter


12

Additional Setup Options



Overview of additional setup options

This chapter contains details about additional setup options you may want to configure for the BIG-IP. The options described in this chapter include:

  • Defining additional host names
  • Preparing workstations for command line access
  • Addressing general networking issues
  • Using a serial terminal with the BIG-IP
  • Configuring RADIUS and LDAP authentication

Defining additional host names

Once you complete the Setup utility, you may want to insert additional host names and IP addresses for network devices into the /etc/hosts file to allow for more user-friendly system administration. In particular, you may want to create host names for the IP addresses that you will assign to virtual servers. You may also want to define host names for standard devices such as your routers, network interface cards, and the servers or other equipment that you are load balancing.

The /etc/hosts file, as created by the Setup utility, is similar to the example shown in Figure 12.1.

Figure 12.1 The /etc/hosts file created by the Setup utility

 # BIG-IP(R) Hosts Table   Generated by Setup utility on Thu May 16 11:03:03 PDT 2002    

# localhost entry
127.1 localhost

# default gateway entry
11.11.11.10 router


# Local name
11.11.11.2 bigip1.mynet.net

# Peer name (state mirror)
11.12.11.1 peer

#
# vlans
#
11.11.11.2 external
11.12.11.2 internal

#
# VIPS and NODES ( add below - do not delete this line )
#

This sample hosts file lists the IP addresses for the default router, the internal VLAN, and the external VLAN, and it contains placeholders for both the virtual servers and the content servers that the BIG-IP will manage.

Warning: If you have modified the /etc/hosts file with something other than the Setup utility, such as vi or pico, be aware that your changes may be lost when you run the Setup utility (config). The Setup utility overwrites the /etc/hosts file and openssl.conf, but it does not warn you before doing so.

Using the MindTerm SSH Console

With the MindTerm SSH Console, you can open an SSH session for the BIG-IP from the Configuration utility. Use the MindTerm SSH client to enable secure command line administration. You can perform any of the command line tasks in a popup console screen.

Warning: The MindTerm SSH client requires a Java virtual machine to operate. If you are unable to run the MindTerm SSH client, make sure that you have a Java virtual machine installed and that your browser has Java enabled in the Preferences, or Options, section. For more information on Java virtual machines and download options, visit your web browser manufacturer's web site.

To open the MindTerm SSH Console using the Configuration utility

  1. In the navigation pane, click MindTerm SSH Console.
    A popup console opens.
  2. When you see the command prompt, press Enter.
  3. Log in to the BIG-IP as you normally would.

Note: When you use the MindTerm SSH Console, you can only administer the local BIG-IP. If you wish to administer remote systems, you do so using an SSH or Telnet session from the command line. For information about installing an SSH client on the administrative workstation, see the following section.

Downloading the SSH client to your administrative workstation

From BIG-IP units that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running BIG-IP command line utilities, you can also use the SSH suite for file transfer to and from the BIG-IP, as well as for remote backups.

The SSH client is available for both Windows and UNIX platforms, and you can download your preferred client either from the web server or using an FTP connection. You can find detailed information about the SSH client in the documentation provided on the web server or on the Documentation and Software CD-ROM.

Note: If your BIG-IP does not support encrypted connections, you can use a Telnet shell for remote command line access.

Downloading the SSH client from the web server

Connect to the BIG-IP using https:// rather than http:// in the URL. In the Additional Software Downloads section, click the SSH Clients link. From the SSH Clients page, you can choose the SSH Client appropriate to your operating system.

Setting up the SSH client on a Windows 95 or Windows NT workstation

The SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.

To unzip and install the SSH client

  1. Log on to the Windows workstation.
  2. Navigate to the directory to which you transferred the installation file. Run PKZip or WinZip to extract the files.
  3. The set of files extracted includes a Setup program. Run the Setup program to install the client.
  4. Start the SSH client.
  5. In the SSH Client window, from the Edit menu choose Properties.
    The Properties dialog box opens.
  6. In the Connection tab, in the Remote Host section, type the following items:

    • In the Host Name box, type the BIG-IP IP address or host name.
    • In the User Name box, type the root user name.
  7. In the Options section, check Compression and set the Cipher option to Blowfish.
  8. Click the OK button.

Setting up the SSH client on a UNIX workstation

The installation file for UNIX platforms is compressed in tar/gzip format.

To untar and install the SSH client

  1. Log on to the workstation and navigate to the directory into which you transferred the SSH client tar file.
  2. Untar the file and follow the instructions in the install file to build the SSH client for your workstation.
  3. Start the SSH client.
  4. Open a connection to the BIG-IP:

    ssh -l root [BIG-IP IP address]

  5. Type the root password and press the Enter key.

Addressing general networking issues

You must address several network issues when you place a BIG-IP in your network. These networking issues include routing, DNS configuration, and special e-mail considerations. You need to address these issues based on the type of hardware and software in your network. This section describes the following networking issues:

  • Addressing routing issues
    There are a variety of routing configuration issues that you need to address. If you did not create a default route with the Setup utility, you must now configure a default route for the BIG-IP. You also must set up routes for the nodes that the BIG-IP manages. You may also want to configure GateD, which allows dynamic routing information to automatically be updated on the BIG-IP.
  • Configuring DNS on the BIG-IP
    You may need to configure the BIG-IP for DNS resolution or for DNS proxy, and you may even need to convert from rotary or round robin DNS.
  • Configuring email on the BIG-IP
    There are some special requirements that you need to take into account when configuring email on the BIG-IP.

Addressing routing issues

The BIG-IP must communicate properly with network routers, as well as with the servers, firewalls, and other routers that it manages. Because there is a variety of router configurations, and varying levels of direct control an administrator has over each router, you need to carefully review the router configurations in your own network. You may need to change some routing configurations before you put the BIG-IP into production.

The BIG-IP supports static route configurations, dynamic routing (by way of BGP4, RIP1, RIP2, and OSPF), and subnetting. However, the BIG-IP is also designed to eliminate the need for you to modify routing tables on a router that routes to a BIG-IP. Instead, the BIG-IP uses Address Resolution Protocol (ARP) to notify routers of the IP addresses that it uses on each interface, as well as on its virtual servers.

The following sections address these common routing issues:

  • Routing from a BIG-IP to a gateway to the external network
  • Routing from content servers to the BIG-IP
  • Routing between a BIG-IP to content servers that are on different logical networks
  • Setting up dynamic routing with GateD
  • Configuring static routes in /config/routes

Routing from a BIG-IP to a gateway to the external network

The BIG-IP needs a route to the external network. For most configurations, this should be configured as the default gateway pool on the BIG-IP.

During installation, you were prompted to configure a default route for the BIG-IP. If you need to change the default route at this time, you can set a new default route by editing the default gateway pool.

To change the default route from the Setup utility

  1. From the command line, type config.
    The Setup utility menu opens.
  2. Choose the Default Gateway Pool option.
  3. Type the IP address of the gateway you want to add to the default gateway pool.
  4. Save and exit.

To change the default route using the Configuration utility

  1. In the navigation pane, click System.
    The System Properties screen opens.
  2. Click the System tab.
    Look in the Default Gateway Pool list for the name of the default gateway pool. Make sure you have the pool name before proceeding to step 3.
  3. In the navigation pane, click Pools.
    The Pools screen opens.
  4. In the list of pools, click the name of the default gateway pool.
    The pool properties page for that pool opens.
  5. In the Resources section of the screen, add or remove gateway IP addresses.
  6. Click the Apply button.

Routing from content servers to the BIG-IP

The content servers being load balanced by the BIG-IP need to have a default route set to the internal shared floating IP alias of the BIG-IP. For most configurations, this should be configured as the default route on the content server.

For information about setting the default route for your content servers, refer to the product documentation for your server.

Routing between a BIG-IP and content servers on different logical networks

If you need to configure the BIG-IP to use one or more nodes that actually sit on a different logical network from the BIG-IP, you need to assign one or more additional routes to get to those nodes. Set each node's default route so that traffic goes back through the BIG-IP internal interface.

In the following examples, the nodes are on 192.168.6.0/24 and the BIG-IP internal interface is on 192.168.5.0/24. There are two possible situations which you may have to address:

  • 192.168.5.0/24 and 192.168.6.0/24 are on the same LAN (either sharing media or with a switch or hub between them).
  • 192.168.5.0/24 and 192.168.6.0/24 are on two different LANs with a router between them.

Case 1: Same LAN

If the nodes are on the same LAN as the BIG-IP, you simply need to add an interface route for 192.168.6.0/24 to an interface on the internal network. You can add this route to the bottom of the /etc/rc.local file using the following syntax, where <ip addr> is the IP address on the internal interface:

route add -net 192.168.6 -interface <ip addr>

Note: You must have the interface defined correctly in the /etc/hosts file in order to use this syntax.

Case 2: Different LANs

If you have nodes on different LANs from the BIG-IP, you need to add a static gateway route on the BIG-IP itself. If, for example, the router that connects the 192.168.5 network and the 192.168.6 network has IP addresses 192.168.5.254 and 192.168.6.254, then you could use the following command to create the necessary static route on the BIG-IP:

route add -net 192.168.6.0 -gateway 192.168.5.254

You should add this command to the end of the file /etc/netstart so that it runs each time the BIG-IP boots.

You may also need to set the default route on the nodes to point to the router between the LANs. For example:

route add default -gateway 192.168.6.254

Finally, you need to set the default route on the router between the LANs to the shared alias on the BIG-IP. For example, type the command:

route add default -gateway 192.168.5.200

Note: These examples assume you are using a UNIX-based router. The exact syntax for your router may be different.

It is not necessary to set the default route for nodes directly to the BIG-IP, as long as the default path eventually routes through the BIG-IP.

Setting up dynamic routing with GateD

The GateD daemon allows the BIG-IP to exchange dynamic routing updates with your routers. Setting up the GateD daemon is a three-part task:

  • You need to create the GateD configuration file, /config/gated.conf.
  • You need to start the GateD daemon.
  • You need to edit the /etc/netstart file.

Tip: You are not required to configure GateD on the BIG-IP. The BIG-IP can meet most routing requirements without using GateD.

Note: Additional documentation for GateD is available through the web server on the BIG-IP.

To create the GateD configuration file

GateD relies on a configuration file, typically named /config/gated.conf, which can be relatively simple, or can be very complex, depending on the routing needs of your network. The BIG-IP web server includes the GateD online documentation (in the Configuration utility home screen, under the Online Documentation section, click GateD). Note that the GateD configuration guide details the process of creating the GateD configuration file, and also provides samples of common protocol configurations.

To immediately start the GateD daemon on the BIG-IP

Once you create the GateD configuration file, you need to start the GateD daemon on the command line using the following command:

bigip# gated

Configuring static routes in /config/routes

You can create the file /config/routes on the BIG-IP for configuring static route information. The information you add to /config/routes is synchronized between units in a BIG-IP redundant pair. When you upgrade, the route information is saved and reinstalled when the upgrade is complete.

You can add routes to /config/routes using the format in Figure 12.2.

Figure 12.2 Example entries in /config/routes

 route add -net 10.1.10.0 -netmask 255.255.255.0 -gateway 10.1.30.254    
route add -net 10.1.20.0 -netmask 255.255.255.0 -gateway 10.1.30.254

Configuring DNS on the BIG-IP

If you plan to use DNS in your network, you can configure DNS on the BIG-IP. There are three different DNS issues that you may need to address when setting up the BIG-IP:

  • Configuring DNS resolution on the BIG-IP
  • Configuring DNS proxy
  • Converting from rotary or round robin DNS

Configuring DNS resolution

When entering virtual addresses, node addresses, or any other addresses on the BIG-IP, you can use the address, host name, or fully qualified domain name (FQDN).

The BIG-IP looks up host names and FQDNs in the /etc/hosts file. If it does not find an entry in that file, then it uses DNS to look up the address. In order for this to work, you need to create an /etc/resolv.conf file. The file should have the following format:

nameserver <DNS_SERVER_1>

search <DOMAIN_NAME_1> <DOMAIN_NAME_2>

In place of the <DNS_SERVER_1> parameter, use the IP address of a properly configured name server that has access to the Internet. You can specify additional name servers as backups by inserting an additional nameserver line for each backup name server.

If you configure the BIG-IP itself as a DNS proxy server, then we suggest that you choose its loopback address (127.0.0.1) as the first name server in the /etc/resolv.conf file.

Replace the <DOMAIN_NAME_1> and <DOMAIN_NAME_2> parameters with a list of domain names to use as defaults. The DNS uses this list to resolve hosts when the connection uses only a host name, and not an FQDN. When you enter domain names in this file, separate each domain name with a space, as shown in Figure 12.3.

Figure 12.3 Sample /etc/resolv.conf file

 ; example /etc/resolv.conf    
nameserver 127.0.0.1
nameserver 127.16.112.2 ;ip address of main DNS server
search mysite.com store.mysite.com

You can also configure the order in which name resolution checks are made by configuring the /etc/irs.conf file. You should set this file so that it checks the /etc/hosts file first, and then checks for DNS entries. See Figure 12.4, for an example of how to make the entry in the /etc/irs.conf file.

Figure 12.4 Sample entry for the /etc/irs.conf file

 hosts           local   continue    
hosts dns

Configuring DNS proxy

The BIG-IP is automatically configured as a DNS proxy or forwarder. This is useful for providing DNS resolution for servers and other equipment load balanced by the BIG-IP. This can be set in the Setup utility.

To re-configure DNS proxy, you simply edit the /etc/named.boot file that contains these two lines:

forwarders <DNS_SERVERS>

options forward-only

In place of the <DNS_SERVERS> parameter, use the IP addresses of one or more properly configured name servers that have access to the Internet.

You can also configure the BIG-IP to be an authoritative name server for one or more domains. This is useful when DNS is needed in conjunction with internal domain names and network addresses for the servers and other equipment behind the BIG-IP. Refer to the BIND documentation for more details.

Converting from rotary or round robin DNS

If your network is currently configured to use rotary DNS, your node configuration may not need modification. However, you need to modify your DNS zone tables to map to a single IP address instead of to multiple IP addresses.

For example, if you had two Web sites with domain names of www.SiteOne.com and www.SiteTwo.com, and used rotary DNS to cycle between two servers for each Web site, your zone table might look like the one in Figure 12.5.

Figure 12.5 Sample zone table with two Web sites and four servers

 www.SiteOne.com  IN A 192.168.1.1    
IN A 192.168.1.2
www.SiteTwo.com IN A 192.168.1.3
IN A 192.168.1.4

In the BIG-IP configuration, the IP address of each individual node used in the original zone table becomes hidden from the Internet. We recommend that you use the Internet reserved address range as specified by RFC 1918 for your nodes. In place of multiple addresses, simply use a single virtual server associated with your site's domain name.

Using the above example, the DNS zone table might look like the zone table shown in Figure 12.6.

Figure 12.6 Sample zone table with two Web sites and two servers.

 www.SiteOne.com  IN A 192.168.100.231    
www.SiteTwo.com IN A 192.168.100.232

Configuring email

Another optional feature you can set up when you configure the BIG-IP is email. You can configure the BIG-IP to send email notifications to you, or to other administrators. The BIG-IP uses Sendmail as its mail transfer agent. The BIG-IP includes a sample Sendmail configuration file that you can use to start with, but you will have to customize the Sendmail setup for your network environment before you can use it.

Before you begin setting up Sendmail, you may need to look up the name of the mail exchanger for your domain. If you already know the name of the mail exchanger, continue with the following section, Setting up Sendmail.

Setting up Sendmail

When you actually set up Sendmail, you need to open and edit a couple of configuration files. Note that the BIG-IP does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator.

To set up and start Sendmail

  1. Copy /config/sendmail.cf.off to /config/sendmail.cf.
  2. To set the name of your mail exchange server, open the /config/sendmail.cf and set the DS variable to the name of your mail exchanger. The syntax for this entry is:

    DS<MAILHUB_OR_RELAY>

  3. Save and close the /config/sendmail.cf file.
  4. If you want to allow Sendmail to flush outgoing messages from the queue for mail that cannot be delivered immediately:
  5. Open the /config/crontab file, and change the last line of the file to read:

    0,15,30,45 * * * * root /usr/sbin/sendmail -q > /dev/null 2>&1

  6. Save and close the /config/crontab file.
  7. If you want to prevent returned or undelivered email from going unnoticed:
  8. Open the /config/aliases file and create an entry for root to point to you or another administrator at your site:

    root: networkadmin@SiteOne.com

  9. Save and close the /config/aliases file.
  10. Run the newaliases command to generate a new aliases database that incorporates the information you added to the /config/aliases file.
  11. To turn Sendmail on, either reboot the system or type the following command:

    /usr/sbin/sendmail -bd -q30m

Using a serial terminal with the BIG-IP

There are a couple of different ways to add a serial terminal to the BIG-IP. You can add a serial terminal in addition to the console, or you can add a serial terminal as the console. The difference between the two is:

  • A serial terminal configured as a terminal displays a simple login. You can log in and run commands and edit files. In this case, you can use the serial terminal in addition to the keyboard and monitor.
  • A serial terminal configured as the console displays system messages and warnings in addition to providing a login prompt. In this case, the serial terminal replaces the keyboard and monitor.

To connect the serial terminal to the BIG-IP

Connect a serial line cable between the terminal device and the BIG-IP. On the back of BIG-IP is a male, 9-Pin RS232C connector labeled Terminal. (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.)

Warning: Do not use the fail-over cable to connect the serial terminal to the BIG-IP. A null modem cable is required

The connector is wired as a DTE device, and uses the signals described in Table 12.1.

Serial line cable signals
Pin Source Usage
1 External Carrier detect
2 External Received data
3 Internal Transmitted data
4 Internal Data terminal ready
5 Both Signal ground
7 Internal Request to send
8 External Clear to send

The connector is wired for direct connection to a modem, with receipt of a Carrier Detect signal generating transmission of a login prompt by the BIG-IP. If you are planning to connect to a terminal or to connect a PC and utilize a terminal emulation program such as HyperTerminalTM, you need a null modem cable with the wiring to generate the signals shown in Table 12.1.

Note: You can achieve acceptable operation by wiring pins 7 to 8 and pins 1 to 4 at the back of BIG-IP (and turning hardware flow control off in your terminal or terminal emulator).

Configuring a serial terminal in addition to the console

You can configure a serial terminal for the BIG-IP in addition to the standard console.

To configure the serial terminal in addition to the console

  1. Connect the serial terminal to the BIG-IP.
  2. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    • 9600 baud
    • 8 bits
    • 1 stop bit
    • No parity
  3. Open the /etc/ttys file and find the line that reads tty00 off. Modify it as shown here:

    # PC COM ports (tty00 is DOS COM1)

    tty00 "/usr/libexec/getty default" vt100 in secure

  4. Save the /etc/ttys file and close it.
  5. Reboot the BIG-IP.

Configuring a serial terminal as the console

You can configure the serial terminal as the console.

To configure the serial terminal as the console

  1. Disconnect the keyboard from the BIG-IP.
  2. Connect the serial terminal to the BIG-IP. When there is no keyboard connected to the BIG-IP, the BIG-IP defaults to using the serial port for the console.
  3. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    • 9600 baud
    • 8 bits
    • 1 stop bit
    • No parity
  4. Reboot the BIG-IP.

Forcing a serial terminal to be the console

In the case where you have not yet connected the serial terminal or it is not active when the BIG-IP is booted, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console.

To force a serial terminal to be the console

  1. Edit the /etc/boot.default file.
    Find the entry -console auto. Change this entry to -console com.
  2. Save the /etc/boot.default file and exit the editor.
  3. Plug the serial terminal into the serial port on the BIG-IP.
  4. Turn on the serial terminal.
  5. Reboot the BIG-IP.

Warning: Once you configure a serial terminal as the console for the BIG-IP, the following conditions apply:

Keyboard/monitor access is disabled, and logging in is only possible via Secure Telnet (SSH), if configured, or the serial line.

If the boot.default file is corrupted, the system does not boot at all. Save a backup copy of the original file and keep a bootable CD-ROM on hand.

The boot.default file must contain either the line: -console com or the line: -console auto. Do not configure both settings. This could cause problems when you attempt to boot the system.

Configuring RADIUS or LDAP authentication

You can configure the BIG-IP to use a RADIUS or LDAP server on your network to authenticate users attempting to access the controller with SSH. In this configuration, the RADIUS or LDAP server can function as a central repository of users that are allowed access to the BIG-IP for administrative purposes.

To configure RADIUS login support

Follow these steps to enable RADIUS authentication on BIG-IP.

  1. Create the directory /etc/raddb.
  2. Create the file /etc/raddb/servers. Each line should contain the host name of the radius server to connect to, and the secret used by that server (see Figure 12.7). For security reasons, we recommend that you use IP addresses instead of host names for the entries in this file. If you specify a host name for an entry, we recommend that you add the host name to the /etc/hosts file.

    Figure 12.7 The location of the secret in /etc/raddb/servers

     # this is the /etc/raddb/server file    
    # format is <radius server> <secret>
    radius.test.net testing123
  3. Edit the /etc/login.conf file. Locate these lines at the top of the file. Replace my_radius_server with the hostname of your RADIUS server. The hostname you specify must also exist in the /etc/raddb/servers file you created in step 2 (see Figure 12.8).

    Figure 12.8 The radius-defaults settings for RADIUS authentication

     radius-defaults:auth=passwd:\    
    :auth-ssh=radius,passwd:\
    :radius-server=my_radius_server:
  4. Change the default configuration to include the radius-default section like this (see Figure 12.9):

    Figure 12.9 Example default settings for RADIUS login support

     default:\    
    :path=/bin /usr/bin /usr/contrib/bin:\
    :datasize-cur=16M:\
    :tc=radius-defaults:
  5. Before logging out, test the configuration by using SSH to connect to the BIG-IP. That way you can correct any configuration errors which could prevent you from logging in to the BIG-IP.

Configuring LDAP login support

To configure the BIG-IP for LDAP authentication, you need to modify the /etc/login.conf file. You can configure LDAP authentication on the BIG-IP with LDAP servers that store passwords in encrypted or hashed format, or you can configure the BIG-IP to handle LDAP servers that use plain text passwords.

To configure an LDAP server that stores encrypted passwords

In some LDAP servers, passwords are stored encrypted with DES, or stored as MD5 hashes. On these systems, it is best to bind to the server directly in order to let the LDAP server match the passwords. The login_ldap utility can be configured to bind directly to the server with the following settings in the /etc/login.conf file.

  1. Edit /etc/login.conf. Locate these lines at the top of the file. Replace my_ldap_server with the host name of your LDAP server. Replace the value for ldap-basedn with the appropriate basedn for your LDAP server (see Figure 12.10).

    Figure 12.10 Example ldap-defaults settings for an LDAP server that stores encrypted passwords

     ldap-defaults:auth=passwd:\    
    :auth-ssh=ldap,passwd:\
    :ldap-server=my_ldap_server:\
    :ldap-server-user=cn=Manager,dc=test,dc=net:\
    :ldap-basedn=dc=test,dc=net:\
    :ldap-user-bind=yes:
  2. Locate the default authentication type. Change the tc value to point to the new ldap-defaults type (see Figure 12.11).

    Figure 12.11 Example default settings for an LDAP server that stores encrypted passwords

     default:\    
    :path=/bin /usr/bin /usr/contrib/bin:\
    :datasize-cur=16M:\
    :tc=ldap-defaults:

To configure an LDAP server that stores plain text passwords

Other LDAP servers store user passwords in plain text. Because of this, these servers require the root LDAP user to log in to see these users. Use these instructions to configure BIG-IP to authenticate to the server with the root user identity before each user authentication.

  1. Edit the /etc/login.conf file. Locate the lines at the top of the file after the auth-bsdi-defaults type. Replace my-ldap-server with the values from your LDAP configuration. Change ldap-user-bind to no. The ldap-sever-user may not be required by your configuration. If it is not, remove that line (see Figure 12.12).

    Figure 12.12 Example excerpt from the /etc/login.conf for an LDAP server that stores plain text passwords

     ldap-defaults:auth=passwd:\    
    :auth-ssh=ldap,passwd:\
    :ldap-server=my_ldap_server:\
    :ldap-server-user=cn=Manager,dc=test,dc=net:\
    :ldap-basedn=dc=test,dc=net:\
    :ldap-user-bind=no:
  2. Locate the default authentication type. Change the tc value to point to the new ldap-defaults type (see Figure 12.13).

    Figure 12.13 Example change to the tc value

     default:\    
    :path=/bin /usr/bin /usr/contrib/bin:\
    :datasize-cur=16M:\
    :tc=ldap-defaults:
  3. Create the file /etc/ldapb/servers. Add one line for the host name of the LDAP server to connect to, and the secret used by that server user (see Figure 12.14). For security reasons, we recommend that you use IP addresses instead of host names for the entries in this file. If you specify a host name for an entry, we recommend that you add the host name to the /etc/hosts file.

    Figure 12.14 Where to add the host name of the LDAP server

     # this is the /etc/ldapdb/server file    
    # format is <ldap server> <secret>
    ldap.test.net secret
  4. Before logging out, test the configuration by running the login program, either on a virtual console or using Telnet. That way you can correct any configuration errors before that may prevent you from accessing the BIG-IP.

Allowing multiple authentication styles

We recommend that you allow multiple authentication styles. This allows you to log in even if the LDAP or RADIUS server is not working properly. You can specify multiple authentication styles in the auth field such as radius,passwd. With the example radius,passwd, RADIUS is the default authentication style, but you still have the ability to override the style and force a login using the password file by appending :passwd after the login name. This is useful because you need to be able to log in even if the authentication server is down (or if its name gets changed and the /etc/login.conf file needs to be updated).

# login root:passwd

or

# ssh bigip -l "root:passwd"

Only the styles that you specify are accepted. For example, root:ldap would fail, since that style was not specified.

Requiring different authentication styles for different applications

You can configure the BIG-IP authentication system to require different authentication styles for different applications. The following example (see Figure 12.15) would use password authentication by default (at the console), but would require RADIUS for FTP and LDAP for SSH, and would accept RADIUS, LDAP, or network password logins (telnet).

Figure 12.15 Example of password authentication with RADIUS required for other applications

 my-defaults:\    
:auth-ftp=radius:\
:radius-server=<my_radius_server>:\
:auth-ssh=ldap:\
:ldap-server=<my_ldap_server>:\
:ldap-basedn=ou=People,dc=<f5>,dc=<com>:\
:auth-network=radius,ldap,passwd:\
:auth=passwd:
default:\
:path=/bin /usr/bin /usr/contrib/bin:\
:datasize-cur=16M:\
:tc=my-defaults:

Note: RADIUS authentication through the BIG-IP is based on the username/password only. It does not support challenge-response authentication methods.