Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Remote Authentication and Authorization for Administrative Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

24 
The BIG-IP system includes a comprehensive solution for managing BIG-IP administrative accounts on your network. With this solution, you can:
Use a remote server for storing BIG-IP user accounts
The BIG-IP system includes support for using a remote authentication server to store BIG-IP system user accounts. After creating BIG-IP system accounts on the remote server, you configure the BIG-IP system to use remote user authentication, using either the browser-based Configuration utility or the command-line-based bigpipe utility. For more information, see Configuring the BIG-IP system to use remote authentication of user accounts.
Assign group-based access control
The BIG-IP system includes a remoterole command within the bigpipe utility. You use the remoterole command to specify access control data on a group-wide basis for remotely-stored BIG-IP system user accounts. The remoterole command can use the existing group definitions assigned to those remote accounts to define access control properties (privileges) for those users. The remoterole command not only provides more granularity and flexibility in assigning user privileges, but also removes any need to duplicate remote user accounts on the BIG-IP system for the purpose of assigning those privileges. For more information, see Configuring access control for BIG-IP system users.
Propagate a set of authorization data to multiple BIG-IP devices
The BIG-IP system includes a tool for propagating user access control data easily to multiple BIG-IP devices on the network. This access control data includes user role specifications, partition access, and BIG-IP system console access. To propagate user authorization data to multiple BIG-IP devices, you use the Single Configuration File feature within the bigpipe utility. For more information, see Propagating remote authentication and authorization data to multiple BIG-IP devices.
By using all of the above features together, you can define user privileges on a group-wise basis, and you can centrally manage all BIG-IP user accounts, thus negating any need to create and manage user accounts separately on each individual BIG-IP device on the network.
Note: All remote authentication servers must reside in route domain 0. For information on route domains, see the TMOS® Management Guide for BIG-IP® Systems.
Configuring the BIG-IP system to use remote authentication of user accounts
Once you have created the accounts on the remote server, you must configure the BIG-IP system to specify the type of remote authentication server. This allows the BIG-IP system to access that remote data when authenticating BIG-IP system users.
The BIG-IP system supports several types of authentication servers for storing BIG-IP system administrative user accounts. The actual procedure you use to specify the type of remote server you are using to store user accounts differs depending on the server type:
Microsoft® Windows® Active Directory servers
You can configure the BIG-IP system to use an LDAP or Microsoft Windows Active Directory server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
If the remote authentication server is set up to authenticate SSL traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary steps you must perform to prepare for remote authentication using SSL.
On the BIG-IP system, import the certificates, using the Configuration utility. For information on importing certificates, see the TMOSTM Management Guide for BIG-IP® Systems.
1.
On the Main tab of the navigation pane, expand System, and click Users.
The Users screen opens.
2.
On the menu bar, click Authentication.
The Authentication screen opens.
3.
Click Change.
4.
From the User Directory list, select Remote - Active Directory or Remote - LDAP.
5.
In the Host box, type the IP address of the remote server.
6.
For the Port setting, retain the default port number (389) or type a new port number in the box.
This setting represents the port number that the BIG-IP system uses to access the remote server.
7.
In the Remote Directory Tree box, type the file location (tree) of the user authentication database on the LDAP or Active Directory server. At minimum, you must specify a domain component (that is, dc=<value>).
8.
For the Scope setting, retain the default value (Sub) or select a new value.
This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication. For more information on this setting, see the online help.
9.
For the Bind setting, specify a user ID login for the remote server:
a)
In the DN box, type the Distinguished Name for the remote user ID.
b)
In the Password box, type the password for the remote user ID.
c)
In the Confirm box, re-type the password that you typed in the Password box.
10.
If you want to enable SSL-based authentication, click the SSL box and, if necessary, configure the following settings.
Important: Be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/ssl/ssl.crt, type the value /config/ssl/ssl.crt.
a)
In the SSL CA Certificate box, type the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
b)
In the SSL Client Key box, type the name of the client SSL key.
Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
c)
In the SSL Client Certificate box, type the name of the client SSL certificate.
Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
11.
Click Finished.
You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
1.
On the Main tab of the navigation pane, expand System, and click Users.
The Users screen opens.
2.
On the menu bar, click Authentication.
The Authentication screen opens.
3.
Click Change.
4.
From the User Directory list, select Remote - RADIUS.
5.
From the Server Configuration list, select either Primary Only or Primary & Secondary.
6.
For the Primary setting, configure these settings:
a)
In the Host box, type the IP address of the remote server.
b)
In the Port box, retain the default port number (1812) or type a new port number in the box.
This setting represents the port number that the BIG-IP system uses to access the remote server.
c)
In the Secret box, type the RADIUS secret.
d)
In the Confirm box, re-type the secret that you typed in the Secret box.
Note that the values of the Secret and Confirm settings must match.
7.
If you selected Primary & Secondary in step 5, configure the Secondary setting.
8.
Click Finished.
You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
1.
On the Main tab of the navigation pane, expand System, and click Users.
The Users screen opens.
2.
On the menu bar, click Authentication.
The Authentication screen opens.
3.
Click Change.
4.
From the User Directory list, select Remote - TACACS+.
5.
From the Configuration list, select Advanced.
Additional settings appear on the screen.
6.
In the Servers box, type an IP address and click Add.
7.
In the Secret box, type the TACACS+ secret.
8.
In the Confirm Secret box, re-type the TACACS+ secret that you specified in the Secret box.
9.
From the Encryption list, retain the default value (Enabled) or select Disabled. This setting is optional.
10.
In the Service Name box, type the name of a service.
11.
In the Protocol Name box, type the name of a protocol. This setting is optional.
12.
From the Authentication list, select either Authenticate to first server or Authenticate to each server until success.
13.
From the Accounting Information list, select either Send to first available server or Send to all servers.
14.
From the Debug Logging list, select either Disabled or Enabled.
15.
Click Finished.
After specifying the type of remote server you are using to store user accounts, you can configure authorization properties (that is, a user role, partition access, and terminal access) for those accounts.
When you configured the BIG-IP system to indicate the type of remote server being used to store BIG-IP system user accounts, the BIG-IP system automatically created a single user entity on the BIG-IP system that represents all remotely-stored accounts. Named Other External Users, this user entity includes a default set of access control values. These access-control values are:
Role = No Access
Note: You can use the Configuration utility to change the values that the BIG-IP system uses as the default values when assigning privileges to remote user accounts.
Use the remoterole command (recommended).
This allows you to assign privileges on a group basis. Using the remoterole command gives you flexibility and granularity in controlling access to BIG-IP system resources by remote user accounts. For more information, see Understanding the remoterole command on this page.
Use the Configuration utility to assign privileges on a per-user basis.
Using the Configuration utility, you can assign non-default privileges to any individual user account that is stored remotely. If you do this, you must first duplicate the user account on the BIG-IP system. For more information, see the TMOSTM Management Guide for BIG-IP® Systems.
Note: For detailed descriptions of the user roles that you can assign to accounts, see the TMOSTM Management Guide for BIG-IP® Systems.
The remoterole command assigns privileges to remote user accounts by mapping a vendor-specific attribute (such as an LDAP attribute for defining a user group) to a set of access-control properties that you define. These access-control properties are:
By mapping a remote authentication server attribute to a set of access-control properties, you can easily define a different set of access-control properties for each group of BIG-IP user accounts stored on a remote authentication server.
Without the remoterole command, you must either assign the same privileges to all remotely-stored user accounts, or you must individually duplicate each remote user account on the BIG-IP system to assign unique privileges to that account.
Once you have used the remoterole utility, you can use the Single Configuration File feature to propagate that access control data to other BIG-IP devices on the network. For more information, see Propagating remote authentication and authorization data to multiple BIG-IP devices.
You use the remoterole command to assign group-wide privileges to remote user accounts. The command is available from within the bigpipe utility. The following section shows the syntax for the remoterole command, and shows an example of its use, with the resulting access control data.
Type the bigpipe remoterole command, using the following syntax:
bigpipe remoterole role info <user group> attribute (<string> | none) console \
(enable | disable) line order <number> role <user role> user partition \
(<string> | none)
For example, suppose that your BIG-IP system user accounts are stored on an LDAP remote authentication server and that those accounts are divided between the groups BigIPOperatorsGroup and BigIPManagersGroup. In this case, you can type the following remoterole command sequence to define the privileges for those groups:
bigpipe remoterole role info BigIPOperatorsGroup { attribute "memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net" console disable line order 1 role operator user partition App_A } role info BigIPManagersGroup { attribute "MemberOF=cn=BigIPManagersGroup,cn=users,dc=dev,dc=net" console enable line order 2 role manager user partition App_B }
Table 24.1 shows the resulting configuration, where each group has a set of privileges assigned to it:
Table 24.1 Privilege assignments resulting from the remoterole command
console disable
role operator
console enable
role manager
Note: After you use the remoterole command to configure group-based privileges, any user who logs on to the BIG-IP system and does not have a group assignment on the remote server is denied access to the BIG-IP system. Also, whenever you change the user role or partition assignment (or both) for a remote account, all remote users are immediately logged off the system, including those logged in as Other External Users.
Some BIG-IP environments might be using a large number of administrative partitions and user roles, and therefore require several different combinations of user roles and partitions. For example, if a BIG-IP system is configured to use ten administrative partitions and five different user roles, the system could require up to 50 combinations of partitions and user roles, making use of the remoterole command unwieldy.
To mitigate this problem, the remoterole command supports the use of variable substitution. That is, for the role, user partition, and console arguments of the remoterole command, you can specify %<variable> for the value.
Suppose that you configure a remote RADIUS authentication server to return a vendor-specific attribute and three variables, and their values.
The remoterole command can use the first attribute (F5-LTM-User-Info-1) on which to match. The command can then read the role, user partition, and console values from the remaining three variables, rather than you specifying them explicitly. The command does this when you specify each of the three variables on the command line, preceded by the string %, as arguments.
The following shows a sample use of the remoterole command. This particular command matches on the vendor-specific attribute F5-LTM-User-Info-1 and then assigns the access-control values listed above (Operator, App_C, and 1) to any user accounts that are part of Datacenter 1 (DC1):
b remoterole role info DC1 { attribute "F5-LTM-User-Info-1=DC1"
console "%F5-LTM-User-Console" role "%F5-LTM-User-Role" user partition "%F5-LTM-User-Partition" line order 1 }
Incorrect variable values
If the value of a variable is incorrect, the user is not authorized. For example, if the %F5-LTM-User-Partition variable evaluates to p1, but the p1 partition does not exist or the partition is named P1 instead of p1, the user receives an error message when attempting to login.
The role variable
The variable that you specify on the command line with the role argument (for example, %F5-LTM-User-Role) must evaluate to one of these values:
0 (Administrator)
20 (Resource Administrator)
40 (User Manager)
100 (Manager)
300 (Application Editor)
400 (Operator)
700 (Guest)
800 (Application Security Policy Editor)
900 (None)
Missing variables
When a variable does not exist in the authentication attributes, the system assigns these privileges to the user account:
Role = No Access
No matching attributes
If the user is properly authenticated but there is no match on any of the remoterole attributes, the system assigns the default privileges. For more information on default privileges for remote user accounts, see Configuring access control for BIG-IP system users.
Propagating remote authentication and
authorization data to multiple BIG-IP devices
The final step in configuring remote authentication and authorization for BIG-IP administrative users is to propagate the BIG-IP authentication and authorization configuration data to the other BIG-IP devices on the network.
You perform this step using the bigpipe export and bigpipe import commands, which are part of the Single Configuration File feature. The bigpipe export command exports BIG-IP configuration data to a special .scf file (SCF). The bigpipe import command uses the data in that SCF to configure other BIG-IP devices.
If you performed the previous task (using the remoterole command to define access control data for remote user accounts), any subsequent SCF that you create using the bigpipe export command contains those access control definitions. You can then use the bigpipe import command to propagate that access control data to the other BIG-IP devices on the network.
The following procedures describe how to create an SCF and import the SCF onto another BIG-IP device. For a more detailed description of the SCF feature and how to use it, see the TMOSTM Management Guide for BIG-IP® Systems.
1.
Access the bigpipe shell.
2.
Run the command export, and include a name for the SCF, for example:
The system creates the file, myConfiguration053107.scf, in the /var/local/scf directory. To create the SCF in another location, specify a full path for the file. For example, the command export /config/myConfiguration creates the SCF in the /config directory.
1.
Copy the SCF that you created in the previous section to a location on your network that you can access from the system that you want to configure.
2.
Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure:
b)
Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system.
c)
If necessary, change the passwords for the root and admin accounts using the user <name> password none newpassword <password> command.
Important: When configuring a unit that is part of a redundant system using the SCF from the other unit in the system, do not modify the root and admin accounts. These accounts must be identical on both units of a redundant system.
3.
The system saves a backup of the running configuration in the /var/local/scf directory, and then resets the running configuration with the configuration contained in the SCF you are importing.
4.
To save the new running configuration to the stored configuration, use the save all command.
The system saves the running configuration to the stored configuration.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)