Applies To:
Show VersionsBIG-IP AAM
- 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP APM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP Analytics
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP Link Controller
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP LTM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP AFM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP PEM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP DNS
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP ASM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Remote User Account Management
About remote user accounts
Each BIG-IP® system requires one or more administrative user accounts. Rather than store these BIG-IP user accounts locally on the BIG-IP system, you can store BIG-IP user accounts on a remote authentication server, either LDAP, Active Directory, RADIUS, or TACACS+. In this case, you create all of your standard BIG-IP user accounts (including user names and passwords) on the remote server, using the mechanism supplied by that server’s vendor. The remote server then performs all authentication of those user accounts.
To implement access control for remotely-stored BIG-IP user accounts, you can use the BIG-IP Configuration utility or tmsh. You first specify information for the type of remote authentication server, and then you configure these access control properties:
- User role
- Partition access
- Terminal access
To ensure easy management of access control for remote accounts, the BIG-IP system automatically creates a single user account named Other External Users. This user account represents all of the remotely-stored BIG-IP user accounts that conform to the access-control properties defined on the BIG-IP system.
Specifying LDAP or Active Directory server information
- Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
- If you want to verify the certificate of the authentication server, import one or more SSL certificates.
Specifying client certificate LDAP server information
Verify that the required user accounts for the BIG-IP® system exist on the remote authentication server.
Specifying RADIUS server information
- Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
- On the Main tab, click .
- On the menu bar, click Authentication.
- Click Change.
- From the User Directory list, select Remote - RADIUS.
-
For the Primary setting:
-
If you set the Server Configuration setting to
Primary and Secondary, then for the
Secondary setting:
- From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
- From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
-
From the Terminal Access list, select either of these as
the default terminal access option for remotely-authenticated user
accounts:
Option Description Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system. tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system. - Click Finished.
Specifying TACACS+ server information
- Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
Changing the default access control for remote accounts
You perform this task to change the user role, partition access, and terminal access that you want the BIG-IP system to assign by default to all remote users that are members of the user account Other External Users.
About remote user groups
On the BIG-IP® system, you can assign access control properties (user role, partition, and terminal access) to any group of BIG-IP user accounts defined on a remote authentication server. You can assign these properties by using either the BIG-IP configuration utility or the Traffic Management Shell (tmsh) to specify the appropriate remote attribute string and line-order for each group of BIG-IP users, along with the access control values you want to assign to the group.
You can configure access control for remote groups of BIG-IP user accounts in these ways:
- By specifying on the BIG-IP system the relevant attribute string and the role, partition access, and terminal access that you want to assign to the group.
- By specifying on the BIG-IP system the relevant attribute string and then using variable substitution (tmsh only).
Configuration examples
Because some types of remote servers allow a user to be a member of multiple user groups, configuration of user roles and partitions for BIG-IP ®user groups on those servers can result in conflicts. For example, two separate remote user groups might specify different roles on the same administrative partition. For a user that is a member of both groups, this configuration breaks the BIG-IP rule that a user cannot have two roles for any one partition.
In the case of such conflicts, the BIG-IP system must choose one of the conflicting roles for the user at login time. The primary way that the BIG-IP system makes this choice is by using line order. The line order that you specify within each remote role configuration affects how the system ultimately resolves any conflicts.
By contrast, within a single remote user group, no conflicts occur because the BIG-IP system prevents administrators from assigning more than role to the same partition.
Example 1: Conflicting role-partition entries within a group
The following example shows that two user roles Guest and Certificate Manager are associated with the same partition, A, for the same remote user group, BigIPAdminGroup.
This configuration is invalid because no one user can have more than one role for a specific partition. If an administrative user attempts to implement this configuration, the BIG-IP system disallows the configuration and displays an error message.
BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role guest user-partition A attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role manager user-partition B attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role certificate manager user-partition A
Example 2: Conflicting role-partition entries in multiple groups
In the following example, the remote server contains two BIG-IP® user groups BigIPNetworkGroup andBigIPAdminGroup, and the BIG-IP system has three partitions, A, B, and C.
Suppose that user jsmith is a member of both groups. The configuration below shows that on login to the BIG-IP system, user jsmith will clearly be assigned the role of Operator for partition B, and Manager for partition C. But for partition A, there is a conflict, because a user can have only one role per partition on the system, and this configuration attempts to assign the roles of both Manager and Guest for that partition.
To resolve the conflict, the BIG-IP system uses line order to determine which of the conflicting roles to assign to jsmith for partition A. In this case, the system will choose Manager, the role with the lowest line-order number (20).
BigIPNetworkGroup attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 20 role manager user-partition A attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 10 role operator user-partition B attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 40 role manager user-partition C BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 30 role guest user-partition A
Example 3: Conflicting role-partition entries due to universal access
In the following example, suppose that user jsmith is a member of three remote user groups: BigIPGuestGroup, BigIPOperatorGroup, and BigipAdminGroup, and the BIG-IP system has three partitions, A, B, and C.
In this configuration, the role specified for BigIPAdminGroup creates a conflict, because some entries specify a particular role for each partition, while BigIPAdminGroup specifies a role of Administrator for all three partitions. To resolve the conflict, the BIG-IP system uses the configured line order.
Because the line order for BigIPAdminGroup is 9 and therefore not the lowest line-order number, the BIG-IP system will ignore the role of Administrator for jsmith, leaving her with a role of Guest on partitions A and C, and Operator on partition B.
BigIPGuestGroup attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 2 role guest user-partition A BigIPOperatorGroup attribute memberOF=CN=BigIPOperatorGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 10 role operator user-partition B BigIPAdminGroup attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 9 role administrator user-partition All BigIPGuestGroup attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local console tmsh line-order 3 role guest user-partition C
Configuring access control for remote user groups
You perform this task to assign a user role, a corresponding administrative partition, and a type of terminal access to a remotely-stored group of user accounts. For a given user group, you can assign as many role-partition combinations as you need, as long as each role is associated with a different partition. If the partition you associate with a role is All, this entry might or might not take effect, depending on whether the All designation conflicts with other role-partition combinations for that user group. For any conflicts, line order in the configuration is a consideration. To assign multiple role-partition combinations for a user group, you repeat this task for each combination, specifying the same attribute string for each task.
About variable substitution
As an alternative to using the BIG-IP™ Configuration utility to specify explicit values for access control properties for remote user groups, you can configure the remote server to return a vendor-specific attribute with variables for role, partition access, and console access. You can then assign values to those variables (numeric or alphabetic), and you can use the tmsh remoterole command to perform variable substitution for those access control properties.
For example, suppose that you configure a remote RADIUS authentication server to return the vendor-specific attribute F5-LTM-User-Info-1 = DC1 , along with three variables and their values:
- F5-LTM-User-Role = 400 (variable)
- F5-LTM-User-Partition = App_C (variable)
- F5-LTM-User-Console = 1 (variable)
The remoterole command can use the attribute F5-LTM-User-Info-1 on which to match. The command can then read the role, user partition, and console values from the three variables, rather than you specifying them explicitly. To do this, you specify each of the three variables on the command line, preceded by the string %, as arguments.
The following shows a sample use of the remoterole command. This sample command matches on the vendor-specific attribute F5-LTM-User-Info-1 and then, using the above variables, assigns a user role of (Operator (400)), access to partition App_C, and tmsh access 1) to any user accounts that are part of Datacenter 1 (DC1):
tmsh auth remote-role role-info add { DC1 { attribute "F5-LTM-User-Info-1=DC1" console "%F5-LTM-User-Console" role "%F5-LTM-User-Role" user partition "%F5-LTM-User-Partition" line order 1 } }
Values for remote role variables
This table lists the values for the BIG-IP variable F5-LTM-User-Role that you use for defining a role for a remotely-stored user group. For example, a value of 100 to the variable F5-LTM-User-Role indicates the Manager user role.
User Role | Value |
---|---|
Administrator | 0 |
Resource-Admin | 20 |
User-Manager | 40 |
Auditor | 80 |
Manager | 100 |
App-Editor | 300 |
Operator | 400 |
Firewall Manager | 450 |
Fraud Protection Manager | 480 |
Certificate-Manager | 500 |
Certificate-Manager | 510 |
Guest | 700 |
Application-Security-Admin | 800 |
Application-Security-Editor | 810 |
Application-Policy-Editor | 850 |
No-Access | 900 |
About terminal access for remote user groups
If you use the Traffic Management Shell (tmsh) remoterole command to configure console access for a user account within a remote user group, the BIG-IP™ system behavior differs depending on the value of the console option:
- If an attribute string for a remote user group has one or more role-partition pairs assigned to that attribute, and you set the value of the console option to tmsh, then on successful authentication the BIG-IP system grants all users in that user group tmsh access to the BIG-IP system.
- If you set the value of the console option to disable (or you do not configure the console option) for all role-partition combinations assigned to the same attribute string, then the BIG-IP system denies all users in that user group tmsh access to the BIG-IP system, even on successful authentication. Note that this does not affect user access to the BIG-IP Configuration utility.
Saving access control settings to a file
Importing BIG-IP configuration data onto other BIG-IP systems
About viewing remote user accounts
Using the BIG-IP Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the user account list.
Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.
Displaying a list of remote user accounts
You perform this task to display a list of remotely-stored user accounts.
- On the Main tab, click .
- On the menu bar, click Authentication.
- Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
- On the menu bar, click User List.
- View the list of user accounts. Remote user accounts that are assigned the default user role appear as Other External Users.
Viewing access control properties
- On the Main tab, click .
- On the menu bar, click Authentication.
- Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
- On the menu bar, click User List.
- View the list of user accounts. Remote user accounts that are assigned the default user role appear as Other External Users.
- In the user account list, find the user account you want to view and click the account name. This displays the properties of that user account.