Applies To:
Show VersionsBIG-IP AAM
- 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP APM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP Analytics
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP Link Controller
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP LTM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP AFM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP PEM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP DNS
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
BIG-IP ASM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Configuring Remote User Authentication and Authorization
Overview: Remote authentication and authorization of BIG-IP user accounts
The BIG-IP® system includes a comprehensive solution for managing BIG-IP administrative accounts on your network. With this solution, you can:
- Use a remote server to store BIG-IP system user accounts.
- The BIG-IP system includes support for using a remote authentication server to store BIG-IP system user accounts. After creating BIG-IP system accounts on the remote server (using the server vendor's instructions), you can configure the BIG-IP system to use remote user authentication and authorization (access control) for that server type.
- Assign group-based access.
- The BIG-IP system includes an optional feature known as remote role groups. With the remote role groups feature, you can use existing group definitions on the remote server to define the access control properties for users in a group. This feature not only provides more granularity in assigning user privileges, but also removes any need to duplicate remote user accounts on the BIG-IP system for the purpose of assigning those privileges.
- Propagate a set of authorization data to multiple BIG-IP systems.
- The BIG-IP system includes a tool for propagating BIG-IP system configuration data to multiple BIG-IP devices on the network. This tool is known as the Single Configuration File (SCF) feature.
Task summary
You can configure the BIG-IP® system to authorize user accounts that are stored on a remote authentication server.
The BIG-IP® system supports several types of authentication servers for storing BIG-IP system administrative user accounts. The actual procedure you use to specify the type of remote server differs, depending on the server type.
Task list
Specifying LDAP or Active Directory server information
- Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
- If you want to verify the certificate of the authentication server, import one or more SSL certificates.
Specifying client certificate LDAP server information
Verify that the required user accounts for the BIG-IP® system exist on the remote authentication server.
Specifying RADIUS server information
- Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
- On the Main tab, click .
- On the menu bar, click Authentication.
- Click Change.
- From the User Directory list, select Remote - RADIUS.
-
For the Primary setting:
-
If you set the Server Configuration setting to
Primary and Secondary, then for the
Secondary setting:
- From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
- From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
-
From the Terminal Access list, select either of these as
the default terminal access option for remotely-authenticated user
accounts:
Option Description Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system. tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system. - Click Finished.
Specifying TACACS+ server information
- Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
- Verify that the appropriate user groups, if any, are defined on the remote authentication server.
Configuring access control for remote user groups
You perform this task to assign a user role, a corresponding administrative partition, and a type of terminal access to a remotely-stored group of user accounts. For a given user group, you can assign as many role-partition combinations as you need, as long as each role is associated with a different partition. If the partition you associate with a role is All, this entry might or might not take effect, depending on whether the All designation conflicts with other role-partition combinations for that user group. For any conflicts, line order in the configuration is a consideration. To assign multiple role-partition combinations for a user group, you repeat this task for each combination, specifying the same attribute string for each task.