Manual Chapter : Configuring Remote User Authentication and Authorization

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Link Controller

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP Analytics

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Configuring Remote User Authentication and Authorization

Overview: Remote authentication and authorization of BIG-IP user accounts

The BIG-IP® system includes a comprehensive solution for managing BIG-IP administrative accounts on your network. With this solution, you can:

Use a remote server to store BIG-IP system user accounts.
The BIG-IP system includes support for using a remote authentication server to store BIG-IP system user accounts. After creating BIG-IP system accounts on the remote server (using the server vendor's instructions), you can configure the BIG-IP system to use remote user authentication and authorization (access control) for that server type.
Assign group-based access.
The BIG-IP system includes an optional feature known as remote role groups. With the remote role groups feature, you can use existing group definitions on the remote server to define the access control properties for users in a group. This feature not only provides more granularity in assigning user privileges, but also removes any need to duplicate remote user accounts on the BIG-IP system for the purpose of assigning those privileges.
Propagate a set of authorization data to multiple BIG-IP systems.
The BIG-IP system includes a tool for propagating BIG-IP system configuration data to multiple BIG-IP devices on the network. This tool is known as the Single Configuration File (SCF) feature.

Task summary

You can configure the BIG-IP® system to authorize user accounts that are stored on a remote authentication server.

Important: If you configure access control settings for group-based accounts (using the remote role groups feature), the BIG-IP system always applies those settings, rather than the default access control settings, to group-based accounts.

The BIG-IP® system supports several types of authentication servers for storing BIG-IP system administrative user accounts. The actual procedure you use to specify the type of remote server differs, depending on the server type.

Task list

Specifying LDAP or Active Directory server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
  • If you want to verify the certificate of the authentication server, import one or more SSL certificates.
You can configure the BIG-IP system to use an LDAP or Microsoft® Windows® Active Directory ®server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - LDAP or Remote - Active Directory.
  5. In the Host field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain 0.
  6. For the Port setting, retain the default port number (389) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  7. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At minimum, you must specify a domain component (that is, dc=[value]).
  8. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  9. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN field, type the distinguished name for the remote user ID.
    2. In the Password field, type the password for the remote user ID.
    3. In the Confirm field, re-type the password that you typed in the Password field.
  10. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings:
    1. From the SSL CA Certificate list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the SSL Client Key list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the SSL Client Certificate list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  11. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  12. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  13. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  14. Click Finished.
You can now authenticate administrative traffic for user accounts that are stored on a remote LDAP or Active Directory server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying client certificate LDAP server information

Verify that the required user accounts for the BIG-IP® system exist on the remote authentication server.

For authenticating BIG-IP system user accounts (that is, traffic that passes through the management interface [MGMT]), you can configure the BIG-IP system to authenticate certificates issued by a certificate authority's Online Certificate Status Protocol (OCSP) responder.
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values or locally configured user accounts (which override the default role) that the BIG-IP system applies to any user account that is not part of a remote role group.
  1. On the Main tab, click System > File Management > Apache Certificate List > Import , browse for the certificate file to import, type a name, and click Import.
    The certificate will be added to the Apache Certificate list.
  2. On the Main tab, click System > Users > Authentication .
  3. On the menu bar, click Authentication.
  4. Click Change.
  5. From the User Directory list, select Remote - ClientCert LDAP.
  6. In the Host field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain 0.
  7. For the Port setting, retain the default port number (389) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  8. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the client certificate server.
    At minimum, you must specify a domain component (that is, dc=[value]).
  9. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  10. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN field, type the distinguished name for the remote user ID.
    2. In the Password field, type the password for the remote user ID.
    3. In the Confirm field, re-type the password that you typed in the Password field.
  11. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings:
    1. From the SSL CA Certificate list, select the name of a chain certificate; that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the SSL Client Key list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the SSL Client Certificate list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  12. In the CA Certificate field, type the absolute folder path of apache-ssl-cert fileobject for the CA signing authority.
    The absolute folder path is /Common/<folder path>/<certificate name>. To determine the absolute folder path of the apache-ssl-cert fileobject, click System > File Management > Apache Certificate List and note the target certificate's partition and path.
    Important: Apache certificates can only be stored within /Common.
  13. In the Login Name field, type an LDAP search prefix that will contain the distinguished name (DN) from the user certificate, such as CN.
    This specifies the LDAP attribute to be used as a login name. The default is disabled.
  14. In the Login LDAP Attribute field, type the account name for the LDAP server.
    The value for this option is normally the user ID. However, if the server is a Microsoft® Windows® Active Directory®server, the value must be the account name sAMAccountName (case-sensitive). The default value is none.
  15. In the Login Filter field, type the LDAP attribute that contains the short name of the user.
    This specifies the filter to be applied on the common name (CN) of the client certificate and usually this is the user ID or sAMAccountName. The filter is a regular expression used to extract required information from the CN of the client certificate that is matched against the LDAP search results. The default is disabled.
  16. For the Depth setting, retain the default value (10) or type a new value for verification depth.
  17. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  18. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  19. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  20. Click Finished.
You can now authenticate administrative traffic for user accounts that are stored on a remote client certificate server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying RADIUS server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a role group that is defined on the remote authentication server. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - RADIUS.
  5. For the Primary setting:
    1. In the Host field, type the name of the primary RADIUS server.
      The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the primary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  6. If you set the Server Configuration setting to Primary and Secondary, then for the Secondary setting:
    1. In the Host field, type the name of the secondary RADIUS server.
      The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the secondary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  7. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  8. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  9. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  10. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote RADIUS server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying TACACS+ server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - TACACS+.
  5. For the Servers setting, type an IP address for the remote TACACS+ server.
    The route domain to which this address pertains must be route domain 0.
  6. Click Add.
    The IP address for the remote TACACS+ server appears in the Servers list.
  7. In the Secret field, type the password for access to the TACACS+ server.
    Warning: Do not include the symbol # in the secret. Doing so causes authentication of local user accounts (such as root and admin) to fail.
  8. In the Confirm Secret field, re-type the TACACS+ secret.
  9. From the Encryption list, select an encryption option:
    Option Description
    Enabled Specifies that the system encrypts the TACACS+ packets.
    Disabled Specifies that the system sends unencrypted TACACS+ packets.
  10. In the Service Name field, type the name of the service that the user is requesting to be authenticated to use (usually ppp).
    Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell, tty-daemon, connection, system, and firewall.
  11. In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Name field.
    This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown.
  12. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  13. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  14. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  15. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote TACACS+ server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Configuring access control for remote role-based user groups

On the BIG-IP® system, you can configure access control properties (permissions) for existing user groups that are defined on a remote authentication server. For example, if the configuration of a remote LDAP authentication server includes the attribute string memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net, you can assign a specific set of access control properties to all user accounts in the group BigIPOperatorsGroup.

  1. On the Main tab, click System > Users .
  2. On the menu bar, click Remote Role Groups.
  3. Click Create.
  4. In the Group Name field, type the group name that is defined on the remote authentication server.
    An example of a group name is BigIPOperatorsGroup.
  5. In the Line Order field, type a number.
    An example of a line order is 1.
  6. In the Attribute String field, type an attribute.
    An example of an attribute string is memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net.
    The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts (excluding any user account for which access control settings are individually configured).
  7. From the Remote Access list, select a value.
    Option Description
    Enabled Choose this value if you want to enable remote console access for the defined user group.
    Disabled Choose this value if you want to disable remote console access for the defined user group.
  8. From the Assigned Role list, select a user role for the remote user group.
  9. From the Partition Access list, select an administrative partition value.
    Option Description
    All Choose this value to give users in the defined group access to their authorized objects in all partitions on the BIG-IP system.
    partition_name Choose a specific partition name to give users in the defined group access to that partition only.
    Common Choose this value to give users in the defined group access to partition Common only.
  10. From the Terminal Access list, select the type of command-line access you want to grant users in the group, if any.
  11. Click Finished.
The user group that you specified now has the assigned role, partition access, and terminal access properties assigned to it.

Saving access control settings to a file

You can save the running configuration of the system, including all settings for remote user authentication and authorization, in a flat, text file with a specified name and the extension .scf.
  1. On the BIG-IP® system, access a command-line prompt.
  2. At the prompt, open the Traffic Management Shell by typing the command tmsh.
  3. Type sys save filename .
    sys save myConfiguration053107 creates the file myConfiguration053107.scf in the var/local/scf directory.
    sys save /config/myConfiguration creates the file myConfiguration.scf in the /config directory.
You can now import this file onto other BIG-IP devices on the network.

Importing BIG-IP configuration data onto other BIG-IP systems

You can use the tmsh sys load command to import a single configuration file (SCF), including access control data, onto other BIG-IP® devices on the network.
Note: This task is optional.
  1. On the BIG-IP system on which you created the SCF, access a command-line prompt.
  2. Copy the SCF that you previously created to a location on your network that you can access from the system that you want to configure.
  3. Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure:
    1. Open the SCF in an editor.
    2. Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system.
    3. If necessary, change the passwords for the root and admin accounts using the command user name password none newpassword password .
      Important: When configuring a unit that is part of a redundant system configuration and that is using the SCF from the peer unit, do not modify the root and admin accounts. These accounts must be identical on both units of the redundant system.
    4. Save the edited SCF.
  4. On the BIG-IP system that you want to configure, open the Traffic Management Shell by typing the command tmsh.
  5. Type sys load scf_filename .
    sys load myConfiguration053107.scf saves a backup of the running configuration in the /var/local/scf directory, and then resets the running configuration with the configuration contained in the SCF you are loading.