Manual Chapter : Initial Configuration for the BIG-IQ System

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 4.6.0
Manual Chapter

Defining DNS and NTP servers for the BIG-IQ system

After you license the BIG-IQ® system, you can specify the DNS and NTP servers.
Setting your DNS server and domain allows the BIG-IQ system to properly parse IP addresses. Defining the NTP server ensures that the BIG-IQ system’s clock is synchronized with Coordinated Universal Time (UTC).
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. On the BIG-IQ Systems panel, click the gear icon next to the group name for which you want to define the DNS and NTP servers, and then click Properties.
  3. Click Services.
  4. In the DNS Lookup Servers field, type the IP address of your DNS server.
  5. In the DNS Search Domains field, type the name of your search domain.
    The DNS search domain list allows the BIG-IQ system to search for local domain lookups to resolve local host names.
  6. In the Time Servers fields, type the IP addresses of your Network Time Protocol (NTP) servers.
  7. Click the Save button to save your configuration.

Changing the default password for the administrator user

You must specify the management IP address settings for the BIG-IQ® system to prompt the system to automatically create the administrator user.
After you initially license and configure the BIG-IQ system, it is important to change the administrator role password from the default, admin.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users panel, for Admin User, click the gear icon and then Properties.
  4. In the Old Password field, type the password.
  5. In the Password and Confirm Password fields, type a new password.
  6. Click Save.

Setting the time zone on a BIG-IQ system

To set the time zone for the BIG-IQ system, you must have root access.
After you license and perform the initial configuration for the BIG-IQ system, you can set the time zone. Setting the time zone from the command line ensures it displays the same in the BIG-IQ system's user interface as well as the logs. The default time zone is United States Pacific Time zone.
  1. Log in to the BIG-IQ system command line.
  2. To view the available time zones, type ls -laR /usr/share/zoneinfo
  3. To set the time zone, type the following command: tmsh modify sys ntp timezone <timezone_filename>
    For example, for the United States Pacific Time zone, type tmsh modify sys ntp timezone America/Los_Angeles
Logs and the user interface now display the same time zone.

Overview: SNMP and SMTP alerts

You can easily manage the health of your network by configuring the BIG-IQ® system to alert you when specific events occur for your managed devices. You can receive notifications by having the BIG-IQ system send traps to your SNMP manager and you can also configure the BIG-IQ system to send alerts for certain events to a specified individual. SNMP is an industry standard protocol for monitoring devices on IP networks. BIG-IQ Device integrates easily with your SNMP manager, allowing you to centrally manage collected data. Once configured, the SNMP agent sends data collected from BIG-IQ Device to your third-party SNMP manager. BIG-IQ Device is compatible with SNMPv1, SNMPv2c, and SNMPv3. Additionally, you can specify SNMP events to also trigger SMTP alerts.

Configuring SNMP version 3 for alerts

You configure the SNMP agent and provide specific access to BIG-IQ® Device so that the SNMP manager can collect data.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click the gear icon next to name of the BIG-IQ system for which configure SNMP, and then click Properties.
  4. Click SNMP Config.
    The screen displays the SNMP settings.
  5. In the Contact Information field, type the name and email address of the person who is responsible for SNMP administration, and in the Machine Location field, type the location of the SNMP manager system.
    These details are for informational purposes only and have no impact on how BIG-IQ Device interfaces with your SNMP manager.
  6. To download the F5-specific MIBs, click the Download MIB link.
  7. In the Addresses/Networks and Mask fields, type the IP address and networks and the netmask (if applicable) that the SNMP manager is allowed to access.
  8. To add another address, click the plus ( + ) sign.
  9. Click the arrow next to Access.
    The SNMP Access settings display.
  10. For the Record Type setting, select V3.
  11. In the User Name field, type the SNMP manager's user name.
  12. If you want to specify the authentication protocol for SNMP traps, from the Auth Type list, select the type that you want the system to use.
    • MD5 specifies digest algorithm.
    • SHA specifies secure hash algorithm.
  13. If you selected an encryption type from the Privacy Protocol list, also select the type of encryption you want the system to use to encrypt SNMP traps.
    • AES specifies Advanced Encryption Standard
    • DES specifies Data Encryption Standard
  14. In the Privacy Password field, type the required password for access.

    SNMPv3 has special requirements when you create plain-text passwords on a router or switch:

    • The password must be at least eight characters long.
    • The password can include alphabetic, numeric, and special characters, but it cannot include control characters.
  15. In the OID field, type the object identifier (OID) you want to associate with this user.
  16. Click the arrow next to Trap.
  17. From the Version, select the version of SNMP you are using.
  18. In the Destination and Port fields, type, respectively, the IP address and system port for the SNMP management system.
  19. From the Security Level list, select the level of security at which you want SNMP messages processed. Auth, No Privacy process messages without encryption. Auth and Privacy process messages using authentication and encryption.
  20. In the Security Name field, type the user name the system uses to handle SNMP v3 traps.
  21. In the Engine ID field, type an administratively unique identifier for an SNMP engine.
    This setting is optional. You can find the engine ID in the /config/net-snmp/snmpd.conf file as the value of the oldEngineID token.
  22. From the Auth Protocol list, select the type of authentication to use to authentication SNMP v3 traps.
  23. In the Auth Password field, type the password the system uses for an SNMP v3 trap.
    The password must be at least 8 characters in length and no more than 32 and can include alphabetic, numeric, and special characters, but it cannot include control characters.
  24. If you selected Auth and Privacy from the Security Levell list, then from the Privacy Protocol list, select the algorithm the system uses to encrypt SNMP v3 traps. When you set this value, you must also enter a value in the Privacy Password field.
  25. To configure additional SNMP trap destination, click the plus ( + ) sign and specify the settings
  26. When you've finished adding traps, click the Save button located at the top of the panel.
You can now specify alert settings. You set alert conditions from the BIG-IQ System group properties screen.

Configuring SNMP version 1 or 2 for alerts

You configure the SNMP agent and provide specific access to BIG-IQ® Device so that the SNMP manager can collect data.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click the gear icon next to name of the BIG-IQ system for which configure SNMP, and then click Properties.
  4. Click SNMP Config.
    The screen displays the SNMP settings.
  5. In the Contact Information field, type the name and email address of the person who is responsible for SNMP administration, and in the Machine Location field, type the location of the SNMP manager system.
    These details are for informational purposes only and have no impact on how BIG-IQ Device interfaces with your SNMP manager.
  6. To download the F5-specific MIBs, click the Download MIB link.
  7. In the Addresses/Networks and Mask fields, type the IP address and networks and the netmask (if applicable) that the SNMP manager is allowed to access.
  8. To add another address, click the plus ( + ) sign.
  9. When you've finished adding traps, click the Save button located at the top of the panel.
  10. Click the arrow next to Access.
    The SNMP Access settings display.
  11. In the New v1/v2 Access Records section, from the Type list, select the appropriate protocol for the SNMP manager's IP address.
  12. In the Community field, type the name of the associated community.
  13. Click the arrow next to Trap.
  14. In the New v1/v2c Destinations section, from the Version list, select the version of SNMP you are using.
  15. In the Community, Destination, and Port fields, type, respectively, the community name, IP address, and port for the trap destination.
  16. To configure additional SNMP trap destination, click the plus ( + ) sign and specify the settings
  17. When you've finished adding traps, click the Save button located at the top of the panel.
You can now specify alert settings. You set alert conditions from the BIG-IQ System group properties screen.

Configuring SMTP for alerts

Before you define an SMTP server, you must first configure a DNS server.

Configure SNMP alerts to send specified recipients email when an alert condition happens.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Hover on the HA Peer Group, click the gear icon when it appears, then click Properties.
  4. Click SMTP Config.
  5. In the Name and Email Address fields, type the name and the email address for the person you want to receive and email when a specified alert condition is met.
  6. To add an additional recipient, click the + sign and repeat step 5.
  7. Click Server.
  8. In the Name field, type a name for this SMTP configuration.
  9. In the SMTP Server Host and SMTP Server Port fields, type the SMTP server and TCP port.
    By default, SMTP uses TCP 25.
  10. In the From Address field, type the email address from which to send the alert email.
  11. From the Encryption list, select the type of encryption to use for the email.
  12. To require a user name and password, select Yes from the Use Auth list and type the required user name and password.
  13. To save this configuration, click Save.
You can now specify the alert conditions that prompt the BIG-IQ system to send an email to the specified receipient when the condition is met.

Specifying alert conditions

After you configure SNMP and or SMTP integration, you can specify the alerts that prompt BIG-IQ® System to send an email to the specified recipients.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. Click the gear icon next to the group for which you want to specify alert conditions, and then click Properties.
  4. Click Alert Conditions.
  5. Select the check box next to each event that should trigger an alert email.
  6. If a threshold is associated with the condition, in the adjacent Threshold field, type a value on which you want to trigger an alert email.
  7. Click Save.

About authentication integration

Integrating BIG-IQ® systems with your authentication server allows you to remotely manage user access based on specific BIG-IQ system roles and associated permissions.

The BIG-IQ system is compatible with RADIUS and LDAP protocols.

Configuring authentication with RADIUS

You must first license the BIG-IQ system and specify DNS settings before you can specify authentication settings.

When you configure the BIG-IQ® system for user authentication through your company's RADIUS service, you can associate existing and new users added to the RADIUS service with specific BIG-IQ roles. The permissions associated with those roles are based on the user credentials. You can add two additional backup RADIUS servers in case the primary server is not available for authentication.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. On the BIG-IQ Systems panel, click the gear icon next to the HA Peer Group you are configuring, and then click Properties.
  4. Click Auth Provider.
  5. If you do not want to display the local host provider on the initial log on screen, select the Do not display Local Host provider option on the login screen if a 3rd-party provider is configured check box.
  6. From the User Directory list, select Remote RADIUS, and click the Add button.
  7. In the Name field, type a name for this new provider.
    This must be a unique name and can be a maximum of 152 characters.
  8. In the Failback Time field, type the number of minutes to wait to contact the primary RADIUS server if it was previously unreachable and authentication was being performed by the secondary or tertiary RADIUS server.
  9. In the Host and Port fields, type the RADIUS server's IP address (or fully qualified domain name) and port number for each of the servers you want to configure.

    The primary server is mandatory. A secondary server and tertiary server, which will be used if the primary or secondary servers fail, are optional.

  10. In the Secret field, type the case-sensitive text string used to validate communication.
  11. To verify the RADIUS server settings, in the Username and Password fields, type a valid user name and password and click Test Connection.
  12. Click the Save button.
You can now associate RADIUS server users and groups to BIG-IQ system roles.

Configuring BIG-IQ system to to use pre-defined RADIUS groups

To perform this procedure, you must have root access to the BIG-IQ system's command line through SSH.

Some RADIUS deployments include non-standard, vendor-specific attributes in the dictionary files. For these deployments, you must update the BIG-IQ system's default dictionary. Use this procedure if you are using pre-defined RADIUS groups to define user groups on the BIG-IQ system.

  1. Copy the TinyRadius .jar file from the BIG-IQ system.
  2. Extract the contents of the TinyRadius .jar file.
  3. Update the file org/tinyradius/dictionary/default_dictionary file, by adding the vendor-specific attributes.
  4. Repack the contents into a new .jar file.
  5. Replace the old TinyRadius .jar on each BIG-IQ system with the new TinyRadius .jar file you created in step 4.

For example:

  1. From a Linux machine, copy the TinyRadius .jar file to your BIG-IQ system by typing: scp <big-iq-user>@<BIG-IQ-Address>:/usr/share/java/TinyRadius-1.0.jar ~/tmp/tinyrad-upgrade/
  2. Extract the file on your Linux Machine by typing: jar -xvf TinyRadius-1.0.jar
  3. Edit the org/tinyradius/dictionary/default_dictionary, adding the vendor-specific attribute.
    rm TinyRadius-1.0.jar
    jar cvf TinyRadius-1.0.jar *
    
  4. Update the jar on the BIG-IQ system by typing: scp TinyRadius-1.0.jar <your_user>@<BIG-IQ address>:/var/tmp/
  5. SSH to the BIG-IQ system and type the following commands:
    mount -o remount,rw /usr
    cp /var/tmp/TinyRadius-1.0.jar /usr/share/java
    mount -o remount,ro /usr
    bigstart restart restjavad
    
  6. Repeat steps 4 and 5 for each BIG-IQ system in this cluster.
Now you can use the user defined RADIUS attribute value pairs to create your user groups on the BIG-IQ system.

Before configuring LDAP authentication

Before integrating LDAP authentication with the BIG-IQ® system, you must first perform the following tasks:

  • Use an LDAP browser to familiarize yourself with the groups and users in your directory's structure and their position in the hierarchy of organizational units (OUs).
  • Decide how you want to map user names. The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people,o=sevenSeas. For example, when you map John Smith's user name with his DN as uid=<jsmith>, ou=people,o=sevenSeas and he logs in as jsmith, he is properly authenticated with his user name in the directory through his DN. The second option is to allow users to log in with names that do not map directly to their DN, by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-IQ system can validate the user's credentials.
  • Determine which groups in your directory to map into BIG-IQ groups. If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose. If you have not, you must know the DN for each group.
  • Identify the DN under which all users and groups can be found. This is the root bind DN for your directory and is expressed as rootDN when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when searching for users and groups.
  • Determine the host IP address for the LDAP server. The default port is 389, if not specified otherwise.

Configuring authentication with LDAP

When you configure the BIG-IQ system for user authentication through your company's LDAP service, you can associate existing and new users added to the LDAP service with specific BIG-IQ roles. The permissions associated with those roles are based on the user credentials. The BIG-IQ system integration is compatible with LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory. You can add multiple LDAP servers.

  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Configuration.
  3. On the BIG-IQ Systems panel, click the gear icon next to the HA Peer Group you are configuring, and then click Properties.
  4. Click Auth Provider.
  5. If you do not want to display the local host provider on the initial log on screen, select the Do not display Local Host provider option on the login screen if a 3rd-party provider is configured check box.
  6. From the User Directory list, select Remote LDAP and then click the Add button.
    The screen refreshes to display LDAP provider properties.
  7. In the Name field, type a name for this new provider.
    This must be a unique name and can be a maximum of 152 characters.
  8. In the Host field, type the IP address of your LDAP server.
  9. If your Active Directory server uses a port other than the default, 389, in the Port field, type the number of the alternative port.
  10. If you want BIG-IQ System to use an SSL port to communicate with the LDAP server, select the Enabled check box for the SSL Enabled setting.
    Note that the Port setting automatically changes to 636.
  11. If your LDAP server does not allow anonymous binds, in the Bind User and Bind User Password fields, type the full distinguished names and passwords for users with query access.
  12. In the Root DN field, type the root context that contains users and groups.
    The root context must be a full distinguished name.
  13. From the Authentication Method list, select an option.
    • None - Select this option to prompt the LDAP server to ignore the user name and password.
    • Simple - Select this option to require a user name and password for authentication.
  14. In the Search Scope field, type a number to specify the depth at which searches are made.
    Alternatively, you can specify 0 for search only on the named object or 1 for a one-level search scope.
  15. In the Search Filter field, type the LDAP filter expression that determines how users are found.
    The search filter is determined by your LDAP implementation.
  16. In the Connect Timeout field, type the number of milliseconds after which the BIG-IP system stops trying to connect to the LDAP server.
  17. In the Read Timeout, field type the number of seconds after which the BIG-IP system stops waiting for a response to a query.
  18. In the User Display Name Attribute field, type LDAP field to use for the name BIG-IQ System displays.
    When using Active Directory, this is typically displayName.
  19. To direct bind to a distinguished name, in the User Bind Template field, type the name.
    For example, cn={username},ou=people,o=sevenSeas.
    Now, when a user logs in, BIG-IQ System inserts their user name into the template in place of the token, and the resulting distinguished name is used to bind to the directory.
  20. To prompt the LDAP provider to search for groups based on a specific display name attribute, in the Group Display Name Attribute, field type an attribute.
    This attribute is typically cn.
  21. Leave the Group Search Filter at its default query to return all groups under the provided rootDN.
    Alternatively, if you have a large number of groups (more than 100), you can narrow base the search on a specific term by typing a query with a {searchterm} token in this field.

    For example: (&objectCategory=group)(|(cn={searchterm}*)))

  22. To specify a query for finding a users group, in the Group Membership Filter field, type a query string.
    Use the token {userDN} anywhere that the user's distinguished name should be supplied in the LDAP query.

    You can use a {username} token as a substitute to the user’s login name in a query.

    Leave this setting at the default (|(member={username})(uniqueMember={username})) unless the provider is Active Directory.
  23. To specify a query attribute for finding users in a particular group, in the Group Membership User Attribute field, type the attribute.
    When using Active Directory, use memberof. For example: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)
    For other LDAP directories, use groupMembershipFilter. For example: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)
  24. Select the Perform Test check box to test this provider.
  25. Click the Save button.
The BIG-IQ system now authenticates users against the configured LDAP server.