Applies To:
Show Versions
BIG-IQ Centralized Management
- 5.1.0
How do I license and do the basic setup to start using BIG-IQ?
The BIG-IQ® system runs as a virtual machine in supported hypervisors, or on the BIG-IQ 7000 series platform. After you download the software image from the F5 Downloads site and upload it to BIG-IQ, you can license system.
You get a license for BIG-IQ using the base registration key you purchased. The base registration key is a character string the F5 license server uses to provide BIG-IQ a license to access the features you purchased. You license BIG-IQ in one of the following ways:
- If the system has access to the Internet, you can have the BIG-IQ system contact the F5 license server and automatically activate the base registration key to get a license.
- If the system is not connected to the Internet, you can manually license the BIG-IQ using the F5 license server web portal.
- If the system is in a closed-circuit network (CCN) that does not allow you to export any encrypted information, you must open a case with F5 support.
After you license BIG-IQ, you:
- Specify a host name for the system.
- Assign a management port IP address.
- Specify the IP address of your DNS server and the name of the DNS search domain.
- Specify the IP address of your Network Time Protocol (NTP) servers and select a time zone.
- Change the administrator’s default admin and root passwords.
Automatically licensing BIG-IQ and performing initial setup
Manually licensing BIG-IQ and performing initial setup
Additional Network Configuration Options
About additional network configuration options
During the licensing and initial configuration procedures, you configure a single VLAN and associated self IP addresses. This is all the networking configuration required to start managing devices. However, if you find you need additional VLANs and self IP addresses, the BIG-IQ® system provides you with the ability to add them as required.
Adding an additional VLAN
Adding an additional self-IP address
- Log in to F5® BIG-IQ® Centralized Management with your user name and password.
- At the top left of the screen, select System Management from the BIG-IQ menu.
- At the top of the screen, click Inventory.
- On the left, click .
- In the Name field, type a unique name to identify this new self IP address.
- In the Address field, type the self IP address and netmask.
- In the Description field, type a description for this self IP address.
- From the VLAN list, select the VLAN to associate with this self IP address.
- Click the Add button at the bottom of the screen to save this new self IP address.
How do I manage access to BIG-IQ and my managed BIG-IP devices?
As a network or system manager, you need a way to differentiate between users, and to limit user access based on how they interact with F5® BIG-IQ® Centralized Management and your managed devices.
You can specify how you want users to be authenticated: locally on BIG-IQ, or remotely through your RADIUS or LDAP server. Additional security is provided through bidirectional trust and verification through key and certificate exchange (AuthN and AuthZ).
To help you manage all of this, it's important that you understand the following concepts:
- Users - are individuals for whom you are providing access to BIG-IQ resources, including access to managed BIG-IP® devices.
- User groups - are a way to organize individuals into groups so that you can grant or change the same privileges to several users at once.
- Roles - are associated with specific privileges, which you grant to users, allowing them to do a set of tasks on BIG-IQ, and on your managed devices.
Changing the default password for the administrator user
Add a locally-authenticated user
Create a locally-authenticated user group
You create a user group so that you can easily manage privileges for several users at one time.
Can I use my LDAP server to authenticate BIG-IQ users?
F5® BIG-IQ® Centralized Management can verify user credentials against your company's LDAP server (LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory). After you set up BIG-IQ to use your LDAP server, you can add users and user groups that authenticated by your LDAP server.
Before integrating BIG-IQ with your LDAP server
Before integrating LDAP authentication with the BIG-IQ® system, you must first perform the following tasks:
- Use an LDAP browser to review the groups and users in your directory's structure and where they're located in the hierarchy of organizational units (OUs).
- Decide how you want to map user names.
- The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people,o=sevenSeas. For example, when you map John Smith's user name with his DN as uid=<jsmith>, ou=people,o=sevenSeas and he logs in as jsmith, he is correctly authenticated with his user name in the directory through his DN.
- The second option is to allow users to log in with names that do not map directly to their DN by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-I system can validate the user's credentials.
- Decide which groups in your directory to map into BIG-IQ groups.
- If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose.
- If you haven't configured this for your users, you must know the DN for each group.
- Find out the DN where you can for all users and groups. This is the root bind DN for your directory, defined as as rootDN, when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when it searches for users and groups.
- Find the host IP address for the LDAP server. The default port is 389, if not specified otherwise.
Set up BIG-IQ to use an LDAP server for user authentication
You can set up F5 BIG-IQ Centralized Management to user your company's LDAP server to authenticate users. You can specify multiple LDAP servers for user authentication.
Add a BIG-IQ user authenticated by my LDAP server
Create an LDAP-authenticated user group
You create a user group to offer individual users authentication from an LDAP server.
Can I use my RADIUS server to authenticate BIG-IQ users?
F5® BIG-IQ® Centralized Management can verify user credentials against your company's RADIUS server. After you set up BIG-IQ to use your RADIUS server, you can add users and user groups authenticated by that server.
Set up BIG-IQ to use a RADIUS server for user authentication
Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license the F5 BIG-IQ Centralized Management system. You can set up F5 BIG-IQ Centralized Management to use your company's RADIUS server. You can add two additional backup RADIUS servers in case the primary server is not available for authentication.
Pre-defined RADIUS groups for authentication
Some RADIUS deployments include non-standard, vendor-specific attributes in the dictionary files. For these deployments, you must update the BIG-IQ system's default dictionary. Follow these steps if you want to use pre-defined RADIUS user groups on BIG-IQ.
- Copy the TinyRadius .jar file from the BIG-IQ system.
- Extract the contents of the TinyRadius .jar file.
- Update the file org/tinyradius/dictionary/default_dictionary file, by adding the vendor-specific attributes.
- Repack the contents into a new .jar file.
- Replace the old TinyRadius .jar on each BIG-IQ system with the new TinyRadius .jar file you created in step 4.
For example:
Add a BIG-IQ user authenticated by my RADIUS server
Create a RADIUS-authenticated user group
You create a user group to offer individual users authentication from a RADIUS server.
How do I limit privileges for users?
As a system manager, you need a way to limit user privileges based on their responsibilities. To help you do that, F5® BIG-IQ® Centralized Management ships with a set of default roles that you can assign to users. Roles are shared between BIG-IQ systems in a high availability pair, so they remain assigned to users even if the primary BIG-IQ system fails over.
Standard roles shipped with BIG-IQ
F5® BIG-IQ® Centralized Management ships with several standard roles, which you can assign to individual users, or to a user group. Roles are shared between BIG-IQ systems in a high availability pair, so they remain assigned to users even if the BIG-IQ system fails over.
Role | Role Description / Access |
---|---|
Administrator | This role has access to all licensing aspects of System Management and Device Management. This includes access for adding individual users, assigning roles, discovering BIG-IP® systems, installing updates, activating licenses, and setting up BIG-IQ® in a high availability (HA) configuration. |
ADC Deployer | This role has access to deploy and view ADC configuration objects for managed ADC devices. |
ADC Editor | This role has access to edit all ADC configuration objects. |
ADC Manager | This role has access to all aspects of ADC, including areas involved in creating, viewing, modifying, and deleting Local Traffic and Network objects. |
ADC Viewer | This role has view-only access for all ADC objects and features. |
Access Auditor | This role has access to all Access reports and dashboard. |
Access Deployer | This role has deploy access to Access configuration objects. This role cannot discover and edit devices or policies. |
Access Editor | This role has edit access to Access configuration objects. This role cannot discover and deploy devices or policies. This role includes the ability to add, update, and delete pools and pool members from the Access configuration object editor. |
Access Manager | This role has deploy and edit access to Access configuration objects, and has access to Access Reports and Dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services. |
Access Viewer | This role has view-only access to Access configuration objects and tasks for Access devices that have been discovered. This role cannot edit, discover, or deploy devices or policies. |
Device Manager | This role has access to all aspects of Device Management, including areas involved in device discovery, group creation, licensing, software image management, UCS backups, templates, connectors, certificates, self IP addresses, VLANs, and interfaces. |
Device Viewer | This role has read-only access to all aspects of Device Management, including areas involved in device discovery, group creation, licensing, software image management, UCS backups, templates, connectors, certificates, self IP addresses, VLANs, and interfaces. |
Fraud Protection Manager | This role has access to all aspects of the Fraud Protection Service functionality for Web Client Security. |
Fraud Protection View | This role has view-only access to all Fraud Protection Service objects for Web Client Security . |
Network Security Deploy | This role has access to view and deploy Network Security objects. |
Network Security Manager | This role has access to all aspects of Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects. |
Network Security Edit | This role has access to create, view, and modify objects for Network Security. |
Network Security View | This role has view-only access to firewall objects for Network Security. This role cannot edit, discover, or deploy devices or policies. |
Security Manager | This role has access to all aspects of Network Security, Web Application Security, and Web Client Security, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects. |
Trust Discovery Import | This role manages device trust establishment, service discovery, service import, removal of services and removal of trust. |
Web App Security Deployer | This role can deploy and view ASM configuration objects for managed ASM devices. |
Web App Security Editor | This role manages config objects within the ASM module. |
Web App Security Manager | This role has access to all aspects of Web Application Security, including areas involved in creating, viewing, modifying, and deleting shared and web application-specific security objects. |
Web App Security Viewer | This role permits read-only access to the ASM module. |