Applies To:

Show Versions Show Versions

Archived Manual Chapter: Managing Administrative Accounts
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

By creating user accounts for system administrators, you provide additional layers of security. User accounts ensure that the system:
To enable user authentication and authorization, you assign passwords and user roles to your user accounts. Passwords allow you to authenticate users when they attempt to log on to the WANJet appliance. User roles allow you to control user access to WANJet appliance resources.
You can create and store WANJet administrative accounts either locally on the WANJet appliance, or remotely on a separate authentication server. If you want user accounts to reside locally, you create those user accounts on the WANJet appliance. For information on local user accounts, see Managing local user accounts.
If you want user accounts to reside remotely on a separate authentication server, you do not create the accounts on the WANJet appliance. Instead, you create them using the authentication server, and use the WANJet appliance strictly to assign user roles to those remote accounts.
support (optional)
The root account and (if enabled) the support account have full access to WANJet appliance resources. By default, the admin account has full access to the Configuration utility but no access to the command line. For more information on the admin account, see Configuring the admin account. The support account is an optional account that you can enable to allow F5 Technical Support personnel to log on to the system. For more information on the support account, see Configuring the support account.
Note: You are not required to have any accounts other than the root, support, and the admin accounts, but we recommend that you do so if you have multiple administrators configuring the system.
Standard user accounts are user accounts that you can optionally create for other WANJet appliance administrators to use. Standard user accounts can reside either locally on the WANJet appliance, or remotely on a remote authentication server. You create and maintain these accounts using the browser-based Configuration utility.
User roles are a means of controlling user access to WANJet appliance resources. You assign a user role to each administrative user, and in so doing, you grant the user a set of permissions for accessing WANJet appliance resources.
Table 6.1 lists and describes the various user roles that you can assign to a user account.
The WANJet appliance automatically assigns a user role to an account when you create that account. The user role that the system assigns to a user account by default depends on the type of account:
root and admin accounts
The WANJet appliance automatically assigns the Administrator user role to the root account and the admin account. You cannot change this user-role assignment.
Other user accounts
The WANJet appliance automatically assigns the No Access user role to all standard user accounts other than the admin account. If the account you are using has the Administrator role assigned to it, you can change another accounts user role from the default No Access role to any other user role, including Administrator.
You can create, view, modify, and delete user accounts on the WANJet appliance using the browser-based Configuration utility.
The Configuration utility stores local user accounts (including user names, passwords, and user roles) in a local user account database. When a user logs on using a local account, the WANJet appliance checks the account to determine the user role assigned to that user account.
Important: Only users with the role of Administrator can create and manage local user accounts. However, users with any role can change their own passwords.
A user account called admin resides on every WANJet appliance. Although the WANJet appliance creates this account automatically, you must still assign a password to the account before you can use it. You initially set the password for the admin account by running the Setup utility. You can change the password later from the Platform screen or the Users screen.
The admin account resides in the local user account database on the WANJet appliance. By default, the WANJet appliance assigns the admin account the Administrator user role, which gives the user of this account full access to all WANJet appliance resources. You cannot change the user role for this account. For details on user roles, see Understanding user roles.
When you run the Setup utility on the WANJet appliance, you set up some administrative accounts. Specifically, you provide passwords for the root and admin accounts, and you may enable the support account. The root and admin accounts are for WANJet appliance administrators, while the support account is for F5 Networks support personnel who require access to the customers system for troubleshooting purposes.
Users logging on to the root account have console-only access to the WANJet appliance, by default. Users logging on to the admin account have browser-only access to the WANJet appliance, by default.
You can use the User Administration section of the Platform Configuration screen to change the passwords for root and admin accounts on a regular basis. You can also change the admin password from the Users screen. (The root account is not listed on the Users screen.)
1.
In the navigation pane, expand System, and click Platform.
The Configuration screen opens.
2.
In the User Administration section, locate Root Account or Admin Account.
3.
In the Password box, type a new password. In the Confirm box, retype the same password.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of user accounts.
2.
In the account list, click the admin account name.
The Account Properties screen for the admin account opens.
3.
For the Password settings, in the New box, type a new password. In the Confirm box, retype the same password.
Important: You must have the user role of Administrator assigned to your account to configure this feature.
Table 6.2 shows the password policy settings that you can configure.
Secure Password Enforcement
Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the Configuration utility displays the Minimum Length and Required Characters settings.
Specifies the minimum number of characters required for a password, and the allowed range of values is 6 to 255. This setting appears only when you enable the Secure Password Enforcement setting.
Important: When enabled, the WANJet appliance enforces this setting on user accounts with the Guest role assigned to them; any user account with the Administrator role assigned to it (including the root, support, and admin accounts) is not subject to the restrictions imposed by this setting.
Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is 0 to 127. This setting appears only when you enable the Secure Password Enforcement setting.
Important: When enabled, the WANJet appliance enforces this setting on user accounts with the Guest role assigned to them. Any user account with the Administrator role assigned to it (including the root, support, and admin accounts) is not subject to the restrictions imposed by this setting.
Specifies, for each user account, the number of former passwords that the WANJet appliance retains to prevent the user from reusing a recent password. The range of allowed values is 0 to 127. This setting applies to all user accounts.
Specifies the minimum number of days before a user can change a password. The range of allowed values is 0 to 255. This setting applies to all user accounts.
Specifies the maximum number of days that a user's password can be valid. The range of allowed values is 1 to 99999. This setting applies to all user accounts.
Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is 1 to 255. This setting applies to all user accounts.
1.
In the navigation pane, expand System, and click Users.
The Users screen opens.
2.
On the menu bar, click Authentication.
This displays the screen for implementing a password policy.
3.
Under Password Policy, locate the Secure Password Enforcement setting and set it to meet your needs:
If you want to enable character restrictions for the Guest account, locate the Secure Password Enforcement setting and select Enabled.
This displays the Minimum Length and Restrictions settings on the screen. Retain or change the values for these settings.
If you do not want to enable character restrictions for the Guest account, leave the Secure Password Enforcement setting set to Disabled.
4.
Retain the default values for all other settings, or change them to suit your needs.
These settings represent the secure password policy restrictions, which apply to all user accounts, regardless of user role.
5.
Click Finished.
Note: Whenever you change the secure password policy, the new configuration values, such as password expiration, do not apply to passwords that were created prior to the policy change. However, the new policy takes effect the next time that the user changes his or her password.
A local user account stored on the WANJet appliance has several properties. Table 6.3 lists and describes these properties, along with their default values.
Specifies the user role that you want to assign to the user account. Allowed values are: Administrator, Guest, and No Access. For more information on these user roles, see Table 6.1.
Users with the Administrator role assigned to their accounts have permission to use all WANJet appliance command line utilities, as well as any operating system commands that do not require root privilege.
Users with a Guest role assigned to their accounts, when accessing the WANJet appliance through the console, can use bigpipe shell commands only, can view existing objects only, and cannot create objects from the command line.
Depending on the user role assigned to your account (other than the No Access role), you can either create, view, modify, or delete local user accounts. Users with the Administrator user role assigned to their own accounts can perform all of these tasks with respect to user account objects.
You can optionally create local user accounts for administrators who can configure settings on the WANJet appliance, and for other users who need only to view the information on the WANJet appliance.
Note: Only users with the Administrator role can create user accounts.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of all local accounts.
2.
In the upper right corner of the screen, click Create.
The New User screen opens.
Note: If the Create button is unavailable, you do not have permission to create a local user account. You must have the Administrator role assigned to your user account.
3.
In the User Name box, type a name for the user account.
4.
For the Password setting, type and confirm a password for the account.
5.
To grant an access level other than No Access, use the Role setting and select a user role.
6.
If you want to allow user access to the command line interface, then from the Terminal Access list, select Enabled.
Note: Selecting Enabled for users with a role of Guest grants access to the bigpipe shell only. Conversely, users with the Administrator role can access all commands and utilities on the system.
7.
Click Finished.
The support account is an optional account that you can enable on the WANJet appliance. When you enable this account, authorized F5 Networks support personnel can access the WANJet appliance to perform troubleshooting.
1.
In the navigation pane, expand System, and click Platform.
The Configuration screen opens.
2.
For the Support Account setting, select Enabled box to allow access to the account, or Disabled to prevent access to the account.
You can display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator role can view the settings of other user accounts.
The admin account and any other administrative accounts that you have created are shown on the User List screen. The root and support accounts are not listed on the User List; you can modify them from the Platform screen. See Changing admin or root account passwords.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of all standard user accounts.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of all standard user accounts.
2.
In the user account list, find the user account you want to view and click the account name.
This displays the properties of that user account.
You use the Configuration utility to modify the properties of any existing local user account, other than the root account. Only users who have been granted the Administrator role can modify user accounts other than their own.
Users with a role of Guest can change the password for their account, but cannot modify any other properties of their accounts.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of all standard user accounts.
2.
In the user account list, click a user account name.
This displays the properties of that account.
4.
Click Update.
When you run the Setup utility on the WANJet appliance, you set up some administrative accounts. Specifically, you provided passwords for the root and admin accounts, and you may have enabled the support account. The root and admin accounts are for WANJet appliance administrators, while the support account is for F5 Networks support personnel who require access to the customers system for troubleshooting purposes.
Users logging on to the root account have console-only access to the WANJet appliance, by default. Users logging on to the admin account have browser-only access to the WANJet appliance, by default.
You can use the User Administration section of the Platform Configuration screen to change the passwords for root and admin accounts on a regular basis. You can also change the admin password from the Users screen. (The root and support accounts are not listed on the Users screen, however.)
1.
In the navigation pane, expand System, and click Platform.
The Configuration screen opens.
2.
In the User Administration section, locate Root Account or Admin Account.
3.
In the Password box, type a new password. In the Confirm box, retype the same password.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of user accounts.
2.
In the account list, click the admin account name.
The Account Properties screen for the admin account opens.
3.
For the Password settings, in the New box, type a new password. In the Confirm box, retype the same password.
If the account you are using has an Administrator user role, you can delete other local user accounts. When you delete a local user account, you remove it permanently from the local user account database on the WANJet appliance.
Note: You cannot delete the admin user account, nor can you delete the user account with which you are logged in.
1.
In the navigation pane, expand System, and click Users.
This opens the User List screen, displaying a list of all standard user accounts.
2.
In the user account list, locate the name of the account you want to delete and click the Select box to the left of the account name.
3.
Click the Delete button.
A confirmation box appears.
4.
Click Delete again.
When you configure SSH access, you enable or disable user access to the WANJet appliance through a Secure Shell (SSH) program, such as PuTTY or OpenSSH. You can also restrict the IP addresses that are allowed access to the system using SSH, or allow SSH access from all addresses.
The SSH Access setting controls all user access to the command line using SSH. You can also control terminal access for each specific user account, allowing or preventing a user from logging on at the command line. For details, see Configuring local user accounts.
1.
In the navigation pane, expand System, and click Platform.
The Configuration screen opens.
2.
For the SSH Access setting, check the Enabled box to allow access to the account, or clear the check box to prevent access to the account.
This setting turns the SSH daemon on (when checked) and off (when cleared).
3.
If you enabled SSH Access, for the SSH IP Allow setting, select select either * All Addresses or Specify Range, which allows you to specify a range of addresses.
When you configure HTTPD access, you can restrict the IP addresses that are allowed access to the web interface using https. For example, you may want to specify the subnet where the administrators reside so that only authorized users working on that subnet can log on to the WANJet appliance web interface.
1.
In the navigation pane, expand System, and click Platform.
The Configuration screen opens.
2.
For the HTTPD IP Allow setting, select either * All Addresses or Specify Range, which allows you to specify a range of addresses.
Rather than store user accounts locally on the WANJet appliance, you can store them on a remote authentication server. In this case, you create all of your standard user accounts (including user names and passwords) on that remote server, using the mechanism supplied by that servers vendor.
Authentication for remote user accounts is based on standard HTTP authentication, that is, user name and password. The exception to this is when the remote server is specifically configured to perform SSL authentication. In this case, authentication is based on SSL certificates.
Once you have created each user account on the remote server, you can then use the WANJet appliance to assign a user role to that account, for the purpose of controlling user access to WANJet appliance resources.
Note: The Configuration utility refers to remote user accounts as external users. An external user is any user account that is stored on a remote authentication server.
You assign a user role to a remote account using the Configuration utility. First, you specify the type of remote authentication server (database) that stores the remote user accounts. Then, you configure each user account to assign a user role to that account. For those remote accounts to which you do not assign a user role, the WANJet appliance assigns a default user role that you define when you identify the remote server type.
The Configuration utility stores all local and remote user-role information in the WANJet appliances local user account database. When a user whose account information is stored remotely logs into the WANJet appliance and is granted authentication, the WANJet appliance then checks its local database to determine the user role that you assigned to that user.
Important: Only users with the role of Administrator can manage user roles for remote user accounts.
One of the tasks you perform with the Configuration utility is to specify the type of remote user account server that currently stores your remote user accounts. The available server types that you can specify are:
When you specify the type of remote server, you can also configure some server settings. For example, you can specify the user role you would like the WANJet appliance to assign to a remote account if you do not explicitly assign one.
Once you have configured the remote server, if you want any of the remote accounts to have a non-default user role, you can explicitly assign a user role to those accounts. For more information on user roles, see Understanding user roles.
If the remote authentication server is an Active Directory or LDAP server and is set up to authenticate SSL traffic, there is an additional feature that you can enable. You can configure the WANJet appliance to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, you must take some preliminary steps to prepare for remote authentication using SSL.
a)
In the navigation pane, expand System, and click Device Certificates.
The Device Certificate screen opens.
b)
Click Import.
The SSL Certificate/Key Source screen opens.
c)
From the Import Type list, select Certificate.
d)
In the Certificate Source area, specify whether you want to Upload File (type the name of the file containing the certificate or browse to it) or Paste Text (paste the text of the certificate in the text box).
e)
Click Import.
You can store the certificates in any location on the WANJet appliance.
Note: Configuring remote authentication using the following procedures creates a user account on the WANJet appliance named Other External Users. For more information on this account, see Understanding default remote-account authorization.
To configure remote Active Directory or LDAP authentication for WANJet appliance administrative users
1.
In the navigation pane, expand System, and click Users.
The Users screen opens.
2.
On the menu bar, click Authentication.
The Authentication screen opens.
3.
Click Change.
4.
From the User Directory list, select Remote - Active Directory or Remote - LDAP.
5.
In the Host box, type the IP address of the remote server.
6.
For the Port setting, retain the default port number (389) or type a new port number in the box.
This setting represents the port number that the WANJet appliance uses to access the remote server.
7.
In the Remote Directory Tree box, type the file location (tree) of the user authentication database on the Active Directory or LDAP server. At minimum, you must specify a domain component (that is, dc=<value>).
8.
For the Scope setting, retain the default value (Sub) or select a new value.
This setting specifies the level of the remote server database that the WANJet appliance should search for user authentication. For more information on this setting, see the online help.
9.
For the Bind setting, specify a user ID login for the remote server:
a)
In the DN box, type the distinguished name for the remote user ID.
b)
In the Password box, type the password for the remote user ID.
c)
In the Confirm box, retype the password that you typed in the Password box.
10.
In the User Template box, type the distinguished name of the user logging on to the system.
You specify the template as a variable that the system replaces with user-specific information during the login attempt. For example, you can specify a user template such as %s@siterequest.com or uid=%s,ou=people,dc=siterequest,dc=com.
11.
If you want to enable SSL-based authentication, click the SSL box and if necessary, configure the following settings.
Important: Be sure to specify the full path name of the storage location on the WANJet appliance. For example, if the certificate is stored in the directory /config/wjconfig/ssl.crt, type the value /config/wjconfig/ssl.crt.
a)
In the SSL CA Certificate box, type the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
b)
In the SSL Client Key box, type the name of the client SSL key.
Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
c)
In the SSL Client Certificate box, type the name of the client SSL certificate.
Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
12.
From the Role list, select a user role that you want the WANJet appliance to assign as the default role for remote user accounts.
The WANJet appliance assigns this user role to any remote user account to which you do not explicitly assign a role. For more information, see Understanding default remote-account authorization.
13.
If you want to enable terminal access for the remote user accounts, use the Terminal Access list to select Enabled.
If you select Enabled, the WANJet appliance grants terminal access to remote user accounts by default.
14.
Click Finished.
1.
In the navigation pane, expand System, and click Users.
The Users screen opens.
2.
On the menu bar, click Authentication.
The Authentication screen opens.
3.
Click Change.
4.
From the User Directory list, select Remote - RADIUS.
5.
From the Server Configuration box:
If you want to use a secondary RADIUS server in the event that the primary server becomes unavailable, select Primary & Secondary.
This causes the Secondary setting to appear.
6.
For the Primary setting, configure these settings for the primary RADIUS server:
a)
In the Host box, type the IP address of the remote server.
b)
In the Port box, retain the default port number (1812) or type a new port number in the box.
This setting represents the port number that the WANJet appliance uses to access the remote server.
c)
In the Secret box, type the RADIUS secret.
d)
In the Confirm box, retype the secret that you typed in the Secret box.
Note that the values of the Secret and Confirm settings must match.
7.
If you selected Primary & Secondary from the Server Configuration box, configure the Host, Port, Secret, and Confirm settings for the secondary server, using the instructions in the previous step.
8.
From the Role box, select a user role that you want the WANJet appliance to assign as the default role for remote user accounts.
The WANJet appliance assigns this user role to any remote user account to which you do not explicitly assign a role. Once you have used this screen to set up the RADIUS server, the WANJet appliance assigns this user role to any remote user account to which you do not explicitly assign a role. For more information, see Understanding default remote-account authorization.
9.
If you want to enable terminal access for the remote RADIUS user accounts, use the Terminal Access box to select Enabled.
If you select Enabled, the WANJet appliance grants terminal access to remote user accounts by default.
10.
Click Finished.
You create WANJet appliance user accounts on your remote server using the mechanism provided by the vendor of your remote server. Then, as described in Specifying a remote user account server, you then use the Configuration utility to specify the remote authentication server that stores WANJet appliance user accounts.
Part of specifying the remote authentication server is configuring certain authorization properties for remote accounts. Specifically, you specify a default user role and terminal access for all user accounts to which you have not individually assigned authorization properties. For more information, see Understanding default remote-account authorization, following.
Once you have specified the remote server, including the default authorization properties, you can do the following:
Sometimes, you might have remote user accounts to which you have not explicitly assigned a user role or terminal access. Such accounts appear in the list of user accounts on the User List screen as Other External Users.
To ensure that these accounts have a user role and terminal access assigned to them, the WANJet appliance automatically assigns default values for these properties, to ensure valid user authorization. By default, the authorization values that the WANJet appliance assigns to remote accounts are the authorization properties that you configured as part of specifying the remote authentication server. Table 6.4 lists these properties and their default values.
You can change the values that the WANJet appliance uses as the default Role and Terminal Access values. (See To change the default remote-account authorization, following.) Then, whenever you create a user account on the remote server and you do not explicitly assign a user role and terminal access to that account, the WANJet appliance automatically assigns the specified default values to the account.
To change the default remote-account authorization properties, you configure the Role and Terminal Access settings on the Authentication screen that you use to specify the type of remote authentication server you are using.
1.
In the navigation pane, expand System, and click Users.
This opens the User List screen, displaying a list of all standard user accounts.
2.
On the menu bar, click Authentication.
This displays the Authentication screen.
3.
Click Change.
4.
From the User Directory list, select Remote - Active Directory, Remote - LDAP, or Remote - RADIUS.
5.
From the Role list, select a default user role.
The WANJet appliance assigns this user role to any remote account to which you have not explicitly assigned a user role.
6.
From the Terminal Access list, select Enabled or Disabled.
7.
Click Update.
As stated in the previous section, you do not use the Configuration utility to create remote user accounts for the WANJet appliance. However, if you have the Administrator role assigned to your own user account, you can use the Configuration utility to explicitly assign authorization properties (such as a user role) to existing remote accounts.
Note that the WANJet appliance automatically assigns a default user role to a remote account if you do not explicitly do so. For information on configuring the default user role, see To change the default remote-account authorization, preceding.
Use the following procedure to configure the authorization properties of an existing remote user account, if you have not already done so. (If you have already configured authorization properties of an individual account and want to change them again, see Changing authorization for an individual user account, preceding.)
In this procedure, instead of selecting the account name from a list of user accounts and then modifying its properties, you simulate the creation of a new account, configuring the User Name property with the precise name of the existing account. You then configure the other properties on the Create screen as well. In this way, you actually modify the properties of the existing remote account.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens.
2.
In the upper-right corner of the screen, click Create.
This displays the New User screen.
3.
In the User Name box, type the name of the remote user to which you want to assign a user role.
4.
For the Role setting, select a user role.
5.
From the Terminal Access box, select Enabled or Disabled, to allow or prevent access to the WANJet appliance through the command line interface.
6.
Click Finished.
Sometimes you might want to change the user role and terminal access that you previously assigned to a remote account. To do so, you must change the properties of that account by clicking the account name on the User List screen. Only those remote user accounts to which you have explicitly assigned a user role appear in the list of user accounts. For the procedure on changing the authorization properties for this type of account, see To change authorization for an individual user account, following.
Remote user accounts that simply inherit the default user role (configured when you specified the remote authentication server) appear in the list of remote user accounts under the name Other External Users. Consequently, you cannot change the authorization properties for any individual account of this type, that is, any account that has inherited the default authorization properties. For more information on assigning default authorization properties, see Understanding default remote-account authorization.
1.
In the navigation pane, expand System, and click Users.
This opens the User List screen, displaying a list of user accounts to which you explicitly assigned user roles.
2.
In the User Name column, click a user name.
This displays the properties for that user account.
3.
From the Role list, select a user role.
4.
From the Terminal Access list, select Enabled or Disabled.
5.
Click Update.
Using the Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the list of remote user accounts.
1.
In the navigation pane, expand System, and click Users.
The User List screen opens, displaying a list of all standard user accounts.
2.
On the menu bar, click Authentication.
The Authentication screen opens.
3.
Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
5.
View the list of user accounts.
Remote user accounts that are assigned the default user role appear in the list as Other External Users.
2.
In the user account list, find the user account you want to view and click the account name.
This displays the properties of that user account.
Note: The only properties displayed for a remote user account are the account name, the user role assigned to the account, and the accounts terminal access.
When you delete a remote user account on the WANJet appliance, you are not actually deleting the account from the remote server. Instead, you are changing the values of the users authorization properties back to the default values. For more information on default authorization values, see Understanding default remote-account authorization.
1.
In the navigation pane, expand System, and click Users.
This opens the User List screen, displaying a list of all standard user accounts.
3.
Click Delete.
A confirmation page appears.
4.
Click Delete.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)