Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP Local Traffic Manager version 9.3 Implementations: Configuring Remote Authentication for Management Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


22

Configuring Remote Authentication for Management Traffic


Introducing remote authentication for BIG-IP system management traffic

As an administrator in a large computing environment, you might prefer to store user accounts remotely, on a dedicated authentication server. Using a remote authentication server, the BIG-IP® system can authenticate two types of network traffic:

  • Application traffic that is slated for load balancing
    This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. To configure remote authentication for this type of traffic, see Chapter 23, Configuring Remote Authentication for Application Traffic , and the Configuration Guide for BIG-IP® Local Traffic Management.
  • Management traffic for administering the BIG-IP system
    This type of traffic does not pass through a virtual server, and instead passes through the management interface (MGMT). You configure remote authentication for this type of traffic when you create your administrative user accounts, storing them on a remote authentication server. Administrative user accounts are accounts that you create for the system and network administrators who manage the BIG-IP system. For more information, see the remainder of this chapter and also the BIG-IP® Network and System Management Guide.

When you want to use a remote server to authenticate traffic that manages the BIG-IP system, you can store BIG-IP system administrative accounts on one of three authentication server types:

  • A Lightweight Directory Access Protocol (LDAP) server
  • A Microsoft® Windows® Active Directory™ server
  • A Remote Authentication Dial-in User Service (RADIUS) server

By default, the BIG-IP system uses basic HTTP authentication (using a user name and password) when remotely authenticating management traffic.

The procedure you use to set up remote authentication of management traffic depends on which type of remote server you are using to store the user accounts.

Configuring LDAP- or Active Directory-based authentication

You can configure the BIG-IP system to use an LDAP or Microsoft Windows Active Directory server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT). By default, user credentials are based on basic HTTP authentication (that is, user name and password).

If the remote authentication server is set up to authenticate SSL traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary steps you must perform to prepare for remote authentication using SSL.

To prepare for SSL-based remote authentication

  1. Convert the Certificate Authority (CA) or self-signed certificates to PEM format.
  2. On the BIG-IP system, import the certificates, using the Configuration utility.
    You can store the certificates in any location on the BIG-IP system. For information on importing certificates, see the BIG-IP® Network and System Management Guide.

Once you have performed these preliminary SSL tasks, you can enable SSL as part of the procedure described in To configure remote LDAP- or Active Directory-based authentication , following.

To configure remote LDAP- or Active Directory-based authentication

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The Users screen opens.
  2. On the menu bar, click Authentication Source.
    The Authentication Source screen opens.
  3. Click Change.
  4. From the User Directory list, select Remote - Active Directory or Remote - LDAP.
  5. In the Host box, type the IP address of the remote server.
  6. For the Port setting, retain the default port number (389) or type a new port number in the box.
    This setting represents the port number that the BIG-IP system uses to access the remote server.
  7. In the Remote Directory Tree box, type the file location (tree) of the user authentication database on the LDAP or Active Directory server. At minimum, you must specify a domain component (that is, dc=<value>).
  8. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication. For more information on this setting, see the online help.
  9. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN box, type the Distinguished Name for the remote user ID.
    2. In the Password box, type the password for the remote user ID.
    3. In the Confirm box, re-type the password that you typed in the Password box.
  10. If you want to enable SSL-based authentication, click the SSL box and, if necessary, configure the following settings.
  11. Important: Be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/bigconfig/ssl.crt, type the value /config/bigconfig/ssl.crt.
    1. In the SSL CA Certificate box, type the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. In the SSL Client Key box, type the name of the client SSL key.
      Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
    3. In the SSL Client Certificate box, type the name of the client SSL certificate.
      Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
  12. Click Finished.

Configuring RADIUS-based authentication

You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT). By default, user credentials are based on basic HTTP authentication (that is, user name and password).

To configure remote RADIUS-based authentication

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The Users screen opens.
  2. On the menu bar, click Authentication Source.
    The Authentication Source screen opens.
  3. Click Change.
  4. From the User Directory list, select Remote - RADIUS.
  5. For the Primary setting, configure these settings:
    1. In the Host box, type the IP address of the remote server.
    2. In the Port box, retain the default port number (1812) or type a new port number in the box.
      This setting represents the port number that the BIG-IP system uses to access the remote server.
    3. In the Secret box, type the RADIUS secret.
    4. In the Confirm box, re-type the secret that you typed in the Secret box.
      Note that the values of the Secret and Confirm settings must match.
  6. If you want to configure a secondary RADIUS server in the event that the primary server becomes unavailable, locate the Secondary setting and check the Configure Secondary Host box.
    This causes additional settings to appear.
  7. Configure the remaining settings for the secondary server, using the instructions for the primary server in step 5.
  8. Click Finished.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)