Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP® Network and System Management Guide: 5 - Managing User Accounts
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


5

Managing User Accounts


Introducing user account management

An important part of managing the BIG-IP system is creating and managing user accounts for BIG-IP system administrators. By creating user accounts for system administrators, you provide additional layers of security. User accounts ensure that the system:

  • Verifies the identity of users logging into the system (authentication)
  • Controls user access to system resources (authorization)

To enable user authentication and authorization, you assign passwords and user roles to your user accounts. Passwords allow you to authenticate your users when they attempt to log in to the BIG-IP system. User roles allow you to control user access to BIG-IP system resources.

You can create and store your BIG-IP administrative accounts either locally on the BIG-IP system, or remotely on a separate authentication server. If you want your user accounts to reside locally on the BIG-IP system, you create those user accounts on the BIG-IP system and assign user roles to them. For information on creating and managing local user accounts, see Managing local user accounts .

If you want your user accounts to reside remotely on a separate authentication server, you do not use the BIG-IP system to create the accounts. Instead, you use the mechanism provided by the server vendor, and you use the BIG-IP system strictly to assign user roles to those remote accounts and to maintain those user role assignments over time. The types of servers that you can use to remotely store BIG-IP system user accounts are:

  • Lightweight Directory Access Protocol (LDAP) servers
  • Active Directory servers
  • Remote Authentication Dial-in User Service (RADIUS) servers

For information on managing remote user accounts, see Managing remote user accounts .

Understanding user account types

There are two types of user accounts on the BIG-IP system: System maintenance accounts and standard user accounts.

  • System maintenance accounts
    System maintenance accounts are user accounts that you maintain using the Setup utility. There are two types of system maintenance accounts: the root account and the support account. System maintenance accounts reside locally on the BIG-IP system and grant full access to BIG-IP system resources. You configure and maintain these accounts using the Setup utility and the Configuration utility, respectively.
  • Standard user accounts
    Standard user accounts are user accounts that you create for other BIG-IP system administrators to use. Standard user accounts can reside either locally on the BIG-IP system, or remotely on a remote authentication server. You create and maintain these accounts using the browser-based Configuration utility. Creating standard user accounts allows you to assign various user roles to those accounts as a way to control system administrator access to BIG-IP system resources. A special standard user account is the admin account, which automatically exists on any BIG-IP system. For more information on the admin account, see Configuring the admin account . For more information on user roles, see Understanding user roles .
Note

Excluding the admin account, the entire set of standard user accounts that you create for BIG-IP system administrators must reside either locally on the BIG-IP system, or remotely on another type of authentication server.

You are not required to have any accounts other than the system maintenance accounts (root and support) and the admin user account, but we recommend that you do so, as a way to intelligently control administrator access to system resources.

The tools you use to create and maintain user accounts vary according to the type of account you are managing. Table 5.1 lists the various user accounts for the BIG-IP system and the tools you use to manage them.

Table 5.1 Tools for managing user accounts
Account Name
Creation/Configuration Tool
Maintenance Tool
The root account
Setup utility
Configuration utility (Platform screen)
The support account
Setup utility
Configuration utility (Platform screen)
The admin account
Setup utility
Configuration utility
(Users screen)
Other user accounts
Configuration utility
Configuration utility
(Users screen)

 

Understanding administrative partitions

When you create configurable objects for the BIG-IP system, you have the option of putting those objects into administrative partitions. An administrative partition is a logical container of BIG-IP system objects such as virtual servers, pools, and monitors. When you first install the BIG-IP system, a default partition already exists named Common.

By putting objects into partitions, you establish a finer granularity of access control. Rather than having control over all resources on the BIG-IP system or no resources whatsoever, users with certain permissions can control resources within a designated partition only. For example, users with the role of Operator can mark nodes up or down, but can only mark those nodes that reside within their designated partition.

User accounts are another type of object that you can put into a partition. You put user accounts into administrative partitions strictly for the purpose of giving other users administrative access to those accounts. For example, you can put user accounts into partition B, and then assign a set of permissions (known as a user role) to user Jane so that she is allowed to modify user accounts in partition B.

Each user account on the BIG-IP system has a property known as Partition Access. The Partition Access property defines the partitions that the user can access. A user account can grant access to either one partition or all partitions. Access to all partitions is known as universal access.

Figure 5.1 shows how partition access can differ for different user accounts on the BIG-IP system.

 

Figure 5.1 The Partition Access property for user accounts

In this example, the BIG-IP system objects reside in multiple partitions. Note that user accounts are also a type of BIG-IP system object, and as such, reside in a partition named Users. (Although you are not required to group user accounts together in a separate partition, for security purposes we highly recommend that you do so.)

To continue with the example, each user account in partition Users has access to specific, but different, partitions. Note that user accounts sjones, cjohnson, and gnelson can access one partition only, while the tbrown account has universal access.

To summarize, an administrative partition defines a set of objects, including user accounts, that other administrative users can potentially manage. This gives computing organizations greater control over user access to specific objects on the BIG-IP system.

For more information on administrative partitions and how to create them, see Chapter 4, Configuring Administrative Partitions .

Understanding user roles

To use the powerful user-roles feature, you should understand the available user roles and the ways that a user role affects a user's access to objects residing within partitions.

What are user roles?

User roles are a means of controlling user access to BIG-IP system resources. You assign a user role to each administrative user, and in so doing, you grant the user a set of permissions for accessing BIG-IP system resources.

The BIG-IP system offers several different user roles that you can choose from when assigning a role to an administrative user. Valid user roles are: Administrator, Manager, Application Editor, Application Security Policy Editor, Operator, Guest, and No Access.

A user role is a property of a user account. Each user role grants a different set of permissions. More specifically, a user role defines:

  • The resources that a user can manage
    User roles define the types of resources, or objects, that a user can manage. For example, a user with the role of Operator can enable or disable nodes and pool members only. By contrast, a user with the Guest role cannot manage any BIG-IP system resources.
  • The tasks that a user can perform
    For example, a user with the role of Operator can enable or disable nodes and pool members, but cannot create, modify, or delete them. Conversely, a user with the Manager role can perform all tasks related to partitioned objects (except for user accounts), including nodes and pool members.

Table 5.2 lists and describes the various user roles that you can assign to a user account.

Important

A role defines the type of objects that a user can manage, and the tasks that a user can perform on those object types. A role does not define the set of specific, existing objects that the user can access. For information on defining user access to specific objects on the system, see Effect of user roles on objects within partitions .
Table 5.2 The various roles for user accounts
User Role
Description
Administrator
This role grants users complete access to all objects on the system. In addition, accounts with the Administrator role can perform configuration synchronization on a redundant system.
Manager
This role grants users permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRulesTM. These users can view all objects on the system and change their own passwords.
Application Editor
This role grants users permission to modify nodes, pools, pool members, and monitors. These users can view all objects and change their own passwords.
Application Security Policy Editor
This role grants users complete access to Application Security Manager security policy objects. These users can also view all other objects and change their own passwords. With respect to security policy objects, this role is equivalent to the Administrator role. You can assign this role only when the BIG-IP system includes the Application Security Manager component.
Operator
This role grants users permission to enable or disable nodes and pool members. These users can view all objects and change their own passwords.
Guest
This role grants users permission to view all objects on the system and change their own passwords.
No Access
This role prevents users from accessing the system.

Understanding default user roles

The BIG-IP system automatically assigns a user role to an account when you create that account. The user role that the system assigns to a user account by default depends on the type of account:

  • root and admin accounts
    The BIG-IP system automatically assigns the Administrator user role to the system maintenance root account and the admin account. You cannot change this user-role assignment. Thus, any user who successfully logs into the BIG-IP system using the root or admin account has full access to system resources and can perform all administrative tasks.
  • Other user accounts
    The BIG-IP system automatically assigns the No Access user role to all standard user accounts other than the admin account. If the user account you are using has the Administrator role assigned to it, you are allowed to change another account's user role from the default No Access role to any other user role, including Administrator. For remote user accounts, if you know that most of your administrative users need some amount of access to BIG-IP system resources, you can configure the BIG-IP system to use a role other than No Access as the default user role.

Effect of user roles on objects within partitions

A user role defines the access level that a user has for each object in the user's assigned partition. An access level refers to the type of task that a user can perform on an object. Possible access levels are:

  • Write
    Grants full access, that is, the ability to create, modify, enable and disable, and delete an object.
  • Update
    Grants the ability to modify, enable, and disable an object.
  • Enable/disable
    Grants the ability to enable or disable an object.
  • Read
    Grants the ability to view an object.

Table 5.3 shows, for each user role, the specific access level available to the user for each object type. Note that this table applies to objects in the user's assigned partition only.

Table 5.3 Access levels per user role for objects in an assigned partition
Object Type
User Role
 
Administrator
Manager
Application Editor
Application Security Policy Editor
Operator
Guest
Virtual server
Write
Write
Read
Read
Read
Read
Profile
Write
Write
Read
Read
Read
Read
Pool
Write
Write
Update
Read
Read
Read
Pool member
Write
Write
Update
Read
Enable/
Disable
Read
Node
Write
Write
Update
Read
Enable/
Disable
Read
User account
Write
Read
Read
Read
Read
Read
Monitor
Write
Write
Read
Read
Read
Read
iRule
Write
Write
Read
Read
Read
Read
Application Security Management Policy
Write
Write
Read
Write
Read
Read

 

If the partition access that you assign to a user is other than partition Common, the user still has some level of access to objects in partition Common. Table 5.4 shows the level of access to Common that each user role provides.

Table 5.4 Access to Common based on user role
User Role
Access to Partition Common
Administrator
Full access to all objects
Manager, Application Editor, Application Security Policy Editor, Operator, Guest
Read access to all objects
No Access
No access to objects

 

Managing local user accounts

Managing local user accounts refers to the tasks of creating, viewing, modifying, and deleting user accounts that reside on the BIG-IP system, using the browser-based Configuration utility.

The Configuration utility stores local user accounts (including user names, passwords, and user roles) in a local user-account database. When a user logs into the BIG-IP system using one of these locally-stored accounts, the BIG-IP system checks the account to determine the user role assigned to that user account.

You assign a user role to an account at the time that you create the account, or by changing the properties of an existing account.

Important

Only users with the role of Administrator can create and manage local user accounts. However, users with any role can change their own passwords.

Configuring the admin account

A user account called admin resides on every BIG-IP system. Although the BIG-IP system creates this account automatically, you must still assign a password to the account before you can use it. To initially set the password for the admin account, you must run the Setup utility. To change its password later, you use the Configuration utility's Users screens.

The admin account resides in the local user account database on the BIG-IP system. By default, the BIG-IP system assigns the Administrator user role, which gives the user of this account full access to all BIG-IP system resources. You cannot change the user role on this account. For detailed on user roles, see Understanding user roles .

Configuring a secure password policy

The BIG-IP system includes an optional administrative feature: a security policy for creating passwords for local BIG-IP system user accounts. A secure password policy ensures that BIG-IP system users that have local user accounts create and maintain passwords that are as secure as possible.

The secure password policy feature includes two distinct types of password restrictions:

  • Enforcement restrictions
    These are, specifically, character restrictions that you can enable or disable. They consist of the minimum password length and the required character types (numeric, uppercase, lowercase, and other kinds of characters). When enabled, the BIG-IP system enforces restrictions on user accounts with Manager, Application Editor, Application Security Policy Editor, Operator, and Guest user roles, and never enforces restrictions on user accounts that have the Administrator role assigned to them. Consequently, a user with Administrator permissions does not need to adhere to these restrictions when either changing his or her own password, or changing the passwords of other user accounts.
  • Policy restrictions
    These restrictions represent the minimum and maximum lengths of time that passwords can be in effect. Also included in this type of policy restriction are the number of days prior to password expiration that users are warned, and the number of previous passwords that the BIG-IP system should store, to prevent users from re-using former passwords. Policy restrictions apply to all user accounts, regardless of user role assigned to them. These restrictions are always enabled, although using the default values provides a minimal amount of restriction.

The password policy feature affects passwords for local user accounts only. Passwords for remotely-stored user accounts are not subject to this local password policy, but might be subject to a separate password policy defined on the remote system.

Important

You must have the user role of Administrator assigned to your account to configure this feature.

Table 5.5 shows the settings that you can configure, along with their descriptions and default values.

Table 5.5 Configuration settings for a secure password policy
Setting
Description
Default Value
Secure Password Enforcement
Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the Configuration utility displays the Minimum Length and Required Characters settings.
Disabled
Minimum Length
Specifies the minimum number of characters required for a password, and the allowed range of values is 6 to 255. This setting appears only when you enable the Secure Password Enforcement setting.
Important: When enabled, the BIG-IP system enforces this setting on user accounts with the Guest and Operator roles assigned to them; any user account with the Administrator role assigned to it (including the root, support, and admin accounts) is not subject to the restrictions imposed by this setting.
6
Required Characters
Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is 0 to 127. This setting appears only when you enable the Secure Password Enforcement setting.
Important: When enabled, the BIG-IP system enforces this setting on user accounts with the Manager, Application Editor, Application Security Policy Editor, Operator, and Guest roles assigned to them. Any user account with the Administrator role assigned to it (including the root, support, and admin accounts) is not subject to the restrictions imposed by this setting.
0
Password Memory
Specifies, for each user account, the number of former passwords that the BIG-IP system retains to prevent the user from re-using a recent password. The range of allowed values is 0 to 127. This setting applies to all user accounts.
0
Minimum Duration
Specifies the minimum number of days before a user can change a password. The range of allowed values is 6 to 255. This setting applies to all user accounts.
6
Maximum Duration
Specifies the maximum number of days that a user's password can be valid. The range of allowed values is 1 to 99999. This setting applies to all user accounts.
99999
Expiration Warning
Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is 1 to 255. This setting applies to all user accounts.
7

 

To configure the password policy feature

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The Users screen opens.
  2. On the menu bar, click Authentication.
    This displays the screen for implementing a password policy.
  3. Under Password Policy, locate the Secure Password Enforcement setting and set it to meet your needs:
    1. If you want to enable character restrictions for Guest and Operator accounts, locate the Secure Password Enforcement setting and select Enabled.
      This displays the Minimum Length and Restrictions settings on the screen. Retain or change the values for these settings.
    2. If you do not want to enable character restrictions for Guest and Operator accounts, leave the Secure Password Enforcement setting set to Disabled.
  4. Retain the default values for all other settings, or change them to suit your needs.
    These settings represent the secure password policy restrictions, which apply to all user accounts, regardless of user role.
  5. Click Finished.
Note

Whenever you change the secure password policy, the new configuration values, such as password expiration, do not apply to passwords that were created prior to the policy change. However, the new policy takes effect the next time that the user changes his or her password.

Configuring local user accounts

A local user account stored on the BIG-IP system has several properties. Table 5.6 lists and describes these properties, along with their default values.

Table 5.6 Properties of a local BIG-IP system user account
Property
Description
Default Value
User Name
Specifies the name of the user account.
No default value
Partition
When viewing the properties of an existing user account, displays the name of the partition in which the user account resides. All partitionable BIG-IP system objects (including user account objects) have the Partition property. Note that you cannot edit the value of this setting.
No default value
Password
Specifies a password that the user will use to log in to the BIG-IP system.
No default value
Role
Specifies the user role that you want to assign to the user account. Allowed values are: Administrator, Manager, Application Editor, Application Security Policy Editor, Operator, Guest, and No Access. For more information on these user roles, see Table 5.2 .
No Access
Partition Access
Specifies the partition to which the user has access when logged in to the BIG-IP system. If you have permission to do so, you can assign this value to a new user account, or change this value on an existing user account.
This setting appears only when the user role for the account is not Administrator. (Accounts with the Administrator role always have universal partition access, that is, access to all partitions.)
None
Terminal Access
Allows or prevents access to the BIG-IP system command line interface. When you enable this setting:
Users with the Administrator role assigned to their accounts have permission to use all BIG-IP system command line utilities, as well as any operating system commands that do not require root privilege.
Users with a non-Administrator role assigned to their accounts, when accessing the BIG-IP system through the console, can use bigpipe shell commands only. The particular bigpipe commands that a non-Administrator user can use are determined by the role assigned to the account.
Unchecked

 

Depending on the user role assigned to your account (other than the No Access role), you can either create, view, modify, or delete local user accounts. Users with the Administrator user role assigned to their own accounts can perform all of these tasks with respect to user account objects.

Creating local user accounts

When you create a local user account, you must give the account a name and a password. You must also set the user role, either by retaining the default user role or by assigning a new one. The default user role for local, non-system accounts is No Access.

Only users who have been granted the Administrator role can create user accounts. If the user role assigned to your account is Administrator, you can create a user account in any partition on the system.

To create a local user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all local accounts.
  2. Using the Partition list in the upper-right corner of the screen, select the name of the partition in which you want the new user account to reside.
  3. Important: The partition you select in this step is not the partition to which you want the new user account to have access. You grant partition access to a user by configuring the Partition Access property on the New User screen.

  4. In the upper right corner of the screen, click Create.
    The New User screen opens.
  5. Note: If the Create button is unavailable, you do not have permission to create a local user account. You must have the Administrator role assigned to your user account.

  6. In the User Name box, type a name for the user account.
  7. For the Password setting, type and confirm a password for the account.
    For more information on user account passwords, see Managing remote user accounts .
  8. To grant an access level other than No Access, use the Role setting and select a user role.
  9. From the Partition Access list, select a partition name or All.
  10. Note: For user accounts to which you assign the Administrator role, this setting is hidden because the value is automatically set to All. You cannot change the Partition Access setting for a user with the Administrator role.

  11. If you want to allow user access to the command line interface, then from the Terminal Access list, select Enabled.
  12. Note: Selecting Enabled for users with a role other than Administrator and No Access grants access to the bigpipe shell only. Conversely, users with the Administrator role can access all commands and utilities on the system.

  13. Click Finished.

Viewing local user accounts

Using the Configuration utility, you can easily display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator role can view the settings of other user accounts. If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP system, in any partition.

To display a list of local user accounts

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all standard user accounts.
  2. View the list of user accounts.

To view the properties of a local user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all standard user accounts.
  2. In the user-account list, find the user account you want to view and click the account name.
    This displays the properties of that user account.

Modifying local user accounts

You use the Configuration utility to modify the properties of any existing local user account, other than the root account. Only users who have been granted the Administrator role can modify user accounts other than their own.

When you modify user-account properties, you can:

  • Change the password
  • Change the user role
  • Change the partition in which the user can access objects
  • Enable or disable terminal access

Users with a role of Manager, Application Editor, Application Security Policy Editor, Operator, or Guest can modify their own user accounts to change the password. These users cannot modify any other properties of their own user accounts.

To modify properties of a local user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all standard user accounts.
  2. In the user-account list, click a user account name.
    This displays the properties of that account.
  3. Change one or more of these settings:
    • The Password setting
    • The Role setting
    • The Partition Access setting
    • The Terminal Access setting
  4. Click Update.

If you have an Administrator user role, you can also change some properties of the root account. Specifically, you can change the password of the root account, and you can enable or disable access to the BIG-IP system through SSH.

To modify the properties of the root account

  1. On the Main tab of the navigation pane, expand System, and click Platform.
    The General screen opens.
  2. For the Root Account setting, type a new password in the Password box, and re-type the new password in the Confirm box.
  3. If you want to grant SSH access, then for the SSH Access setting, check the Enabled box, and for the SSH IP Allow setting, either:
    • Select * All Addresses.
    • Select Specify Range and type a range of IP addresses.
  4. Click Update.
Important

If you have a redundant system configuration and you change the password on the admin account, you must also change the password on the peer unit, to ensure that synchronization of configuration data operates correctly.

Deleting local user accounts

If the account you are using has an Administrator user role, you can delete other local user accounts. A user with the Administrator role can delete any user account on the BIG-IP system in any partition.

When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system.

Note

You cannot delete the admin user account, nor can you delete the user account with which you are logged in.

To delete a local user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all standard user accounts.
  2. In the user-account list, locate the name of the account you want to delete and click the Select box to the left of the account name.
  3. Click the Delete button.
    A confirmation box appears.
  4. Click Delete again.

Managing remote user accounts

Rather than store user accounts locally on the BIG-IP system, you can store them on a remote authentication server. In this case, you create all of your standard user accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server's vendor.

Authentication for remote user accounts is based on standard HTTP authentication, that is, user name and password. The exception to this is when the remote server is specifically configured to perform SSL authentication. In this case, authentication is based on SSL certificates.

Once you have created each user account on the remote server, you can then use the BIG-IP system to assign a user role to that account, for the purpose of controlling user access to BIG-IP system resources.

Note

The Configuration utility refers to remote user accounts as external users. An external user is any user account that is stored on a remote authentication server.

You assign a user role to a remote account using the Configuration utility. First, you specify the type of remote authentication server (database) that stores the remote user accounts. Then, you configure each user account to assign a user role to that account. For those remote accounts to which you do not assign a user role, the BIG-IP assigns a default user role that you define when you identify the remote server type.

The Configuration utility stores all local and remote user-role information in the BIG-IP system's local user-account database. When a user whose account information is stored remotely logs into the BIG-IP system and is granted authentication, the BIG-IP system then checks its local database to determine the user role that you assigned to that user.

Important

Only users with the role of Administrator can manage user roles for remote user accounts.

Specifying a remote user-account server

One of the tasks you perform with the Configuration utility is to specify the type of remote user-account server that currently stores your remote user accounts. The available server types that you can specify are:

  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-In User Service (RADIUS)

When you specify the type of remote server, you can also configure some server settings. For example, you can specify the user role you would like the BIG-IP system to assign to a remote account if you do not explicitly assign one.

Once you have configured the remote server, if you want any of the remote accounts to have a non-default user role, you can explicitly assign a user role to those accounts. For more information on user roles, see Understanding user roles .

If the remote authentication server is an Active Directory or LDAP server and is set up to authenticate SSL traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary steps you must perform to prepare for remote authentication using SSL.

To prepare for SSL-based remote authentication

  1. Convert the Certificate Authority (CA) or self-signed certificates to PEM format.
  2. On the BIG-IP system, import the certificates, using the Configuration utility.
    You can store the certificates in any location on the BIG-IP system. For information on importing certificates, see the Configuration Guide for BIG-IP® Local Traffic Management.

Once you have performed these preliminary SSL tasks, you can enable SSL as part of the procedure described in To configure remote Active Directory or LDAP authentication for BIG-IP system administrative users , following.

If the remote server is a RADIUS server, see To configure remote RADIUS authentication for BIG-IP system administrative users .

Note

Configuring remote authentication using the following procedures creates a user account on the BIG-IP system named Other External Users. For more information on this account, see Understanding default remote-account authorization .

To configure remote Active Directory or LDAP authentication for BIG-IP system administrative users

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The Users screen opens.
  2. On the menu bar, click Authentication.
    The Authentication screen opens.
  3. Click Change.
  4. From the User Directory list, select Remote - Active Directory or Remote - LDAP.
  5. In the Host box, type the IP address of the remote server.
  6. For the Port setting, retain the default port number (389) or type a new port number in the box.
    This setting represents the port number that the BIG-IP system uses to access the remote server.
  7. In the Remote Directory Tree box, type the file location (tree) of the user authentication database on the Active Directory or LDAP server. At minimum, you must specify a domain component (that is, dc=<value>).
  8. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication. For more information on this setting, see the online help.
  9. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN box, type the Distinguished Name for the remote user ID.
    2. In the Password box, type the password for the remote user ID.
    3. In the Confirm box, re-type the password that you typed in the Password box.
  10. In the User Template box, type the distinguished name of the user logging in to the system.
    You specify the template as a variable that the system replaces with user-specific information during the login attempt. For example, you can specify a user template such as %s@siterequest.com or uid=%s,ou=people,dc=siterequest,dc=com.
  11. If you want to enable SSL-based authentication, click the SSL box and if necessary, configure the following settings.
  12. Important: Be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/bigconfig/ssl.crt, type the value /config/bigconfig/ssl.crt.

    1. In the SSL CA Certificate box, type the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. In the SSL Client Key box, type the name of the client SSL key.
      Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
    3. In the SSL Client Certificate box, type the name of the client SSL certificate.
      Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.
  13. From the Role list, select a user role that you want the BIG-IP system to assign as the default role for remote user accounts.
    The BIG-IP system assigns this user role to any remote user account to which you do not explicitly assign a role. For more information, see Understanding default remote-account authorization .
  14. From the Partition Access list, select the partition or partitions to which you want users with remote accounts to have access.
  15. If you want to enable terminal access for the remote user accounts, use the Terminal Access list to select Enabled.
    If you select Enabled, the BIG-IP system grants terminal access to remote user accounts by default.
  16. Click Finished.

To configure remote RADIUS authentication for BIG-IP system administrative users

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The Users screen opens.
  2. On the menu bar, click Authentication.
    The Authentication screen opens.
  3. Click Change.
  4. From the User Directory list, select Remote - RADIUS.
  5. From the Server Configuration box:
    • If you are planning to use one RADIUS server only, select Primary Only.
    • If you want to use a secondary RADIUS server in the event that the primary server becomes unavailable, select Primary & Secondary.
      This causes the Secondary setting to appear.
  6. For the Primary setting, configure these settings for the primary RADIUS server:
    1. In the Host box, type the IP address of the remote server.
    2. In the Port box, retain the default port number (1812) or type a new port number in the box.
      This setting represents the port number that the BIG-IP system uses to access the remote server.
    3. In the Secret box, type the RADIUS secret.
    4. In the Confirm box, re-type the secret that you typed in the Secret box.
      Note that the values of the Secret and Confirm settings must match.
  7. If you selected Primary & Secondary from the Server Configuration box, configure the Host, Port, Secret, and Confirm settings for the secondary server, using the instructions in the previous step.
  8. From the Role box, select a user role that you want the BIG-IP system to assign as the default role for remote user accounts.
    The BIG-IP system assigns this user role to any remote user account to which you do not explicitly assign a role. Once you have used this screen to set up the RADIUS server, the BIG-IP system assigns this user role to any remote user account to which you do not explicitly assign a role. For more information, see Understanding default remote-account authorization .
  9. If you want to enable terminal access for the remote RADIUS user accounts, use the Terminal Access box to select Enabled.
    If you select Enabled, the BIG-IP system grants terminal access to remote user accounts by default.
  10. Click Finished.

Configuring authorization for remote accounts

You create BIG-IP system user accounts on your remote server using the mechanism provided by the vendor of your remote server. Then, as described in Specifying a remote user-account server , you then use the Configuration utility to specify the remote authentication server that stores BIG-IP system user accounts.

Part of specifying the remote authentication server is configuring certain authorization properties for remote accounts. Specifically, you specify a default user role and terminal access for all user accounts to which you have not individually assigned authorization properties. For more information, see Understanding default remote-account authorization .

Once you have specified the remote server, including the default authorization properties, you can do the following:

For descriptions of the user roles that you can assign to accounts, see Understanding user roles .

Understanding default remote-account authorization

Sometimes, you might have remote user accounts to which you have not explicitly assigned a user role, partition access, and terminal access. Such accounts appear in the list of user accounts on the User List screen as Other External Users.

To ensure that these accounts have a user role, partition access, and terminal access assigned to them, the BIG-IP system automatically assigns default values for these properties, to ensure valid user authorization. By default, the authorization values that the BIG-IP system assigns to remote accounts are the authorization properties that you configured as part of specifying the remote authentication server. Table 5.7 lists these properties and their default values.

Table 5.7 Default authorization properties for remote user accounts
Remote user account property
Default value
Role
No Access
Partition access
Common
Terminal access
Disabled

 

You can change the values that the BIG-IP system uses as the default Role, Partition Access, and Terminal Access values. (See To change the default remote-account authorization , following.) Then, whenever you create a user account on the remote server and you do not explicitly assign a user role, partition access, and terminal access to that account, the BIG-IP system automatically assigns the specified default values to the account.

To change the default remote-account authorization properties, you configure the Role, Partition Access, and Terminal Access settings on the Authentication screen that you use to specify the type of remote authentication server you are using.

To change the default remote-account authorization

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all standard user accounts.
  2. On the menu bar, click Authentication.
    This displays the Authentication screen.
  3. Click Change.
  4. From the User Directory list, select Remote - Active Directory, Remote - LDAP, or Remote - RADIUS.
  5. From the Role list, select a default user role.
    The BIG-IP system assigns this user role to any remote account to which you have not explicitly assigned a user role.
  6. From the Partition Access list, select Enabled or Disabled.
  7. From the Terminal Access list, select Enabled or Disabled.
  8. Click Update.

Assigning authorization to an individual user account

As stated in the previous section, you do not use the Configuration utility to create remote user accounts for the BIG-IP system. However, if you have the Administrator role assigned to your own user account, you can use the Configuration utility to explicitly assign authorization properties (such as a user role) to existing remote accounts.

Note that the BIG-IP system automatically assigns a default user role to a remote account if you do not explicitly do so. For information on configuring the default user role, see To change the default remote-account authorization .

Use the following procedure to configure the authorization properties of an existing remote user account, if you have not already done so. (If you have already configured authorization properties of an individual account and want to change them again, see Changing authorization for an individual user account .)

In this procedure, instead of selecting the account name from a list of user accounts and then modifying its properties, you simulate the creation of a new account, configuring the User Name property with the precise name of the existing account. You then configure the other properties on the Create screen as well. In this way, you actually modify the properties of the existing remote account.

To assign authorization for an individual user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens.
  2. Note: You do not see the user account in the list of user accounts.

  3. In the upper-right corner of the screen, click Create.
    This displays the New User screen.
  4. In the User Name box, type the name of the remote user to which you want to assign a user role.
  5. Important: This user name must precisely match the user name assigned to the remote user account.

  6. For the Role setting, select a user role.
  7. For the Partition Access setting, select a partition name.
  8. Note: If you selected Administrator in step 4, this setting is not shown. Users with the Administrator role automatically have access to all partitions on the BIG-IP system. For more information on partition access, see Granting partition access .

  9. From the Terminal Access box, select Enabled or Disabled, to allow or prevent access to the BIG-IP system through the command line interface.
  10. Click Finished.

Changing authorization for an individual user account

Sometimes you might want to change the user role, partition access, and terminal access that you previously assigned to a remote account. To do so, you must change the properties of that account by clicking the account name on the User List screen. Only those remote user accounts to which you have explicitly assigned a user role appear in the list of user accounts. For the procedure on changing the authorization properties for this type of account, see To change authorization for an individual user account , following.

Remote user accounts that simply inherit the default user role (configured when you specified the remote authentication server) appear in the list of remote user accounts under the name Other External Users. Consequently, you cannot change the authorization properties for any individual account of this type, that is, any account that has inherited the default authorization properties. For more information on assigning default authorization properties, see Understanding default remote-account authorization .

To change authorization for an individual user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of user accounts to which you explicitly assigned user roles.
  2. In the User Name column, click a user name.
    This displays the properties for that user account.
  3. From the Role list, select a user role.
  4. From the Partition Access list, select a partition name.
  5. From the Terminal Access list, select Enabled or Disabled.
  6. Click Update.

Granting partition access

The section titled Creating local user accounts describes how to configure the settings of a local user account to grant access to a particular partition. For remote accounts, you can also grant access to a partition.

When you initially configure a remote server for authentication of BIG-IP system users, all remote user accounts have access to the Common partition. If you want a specific remote account to have access to a partition other than Common, you can specify a different partition when you configure the authorization properties for that account. Remote accounts that have the Administrator user role assigned to them automatically have full access to all partitions on the BIG-IP system,

For more information, see Assigning authorization to an individual user account or Changing authorization for an individual user account .

Viewing remote user accounts

Using the Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the list of remote user accounts.

Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.

To display a list of remote user accounts with non-default user roles

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all standard user accounts.
  2. On the menu bar, click Authentication.
    The Authentication screen opens.
  3. Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click User List.
  5. View the list of user accounts.
    Remote user accounts that are assigned the default user role appear in the list as Other External Users.

To view the properties of a remote user account

  1. Using the previous procedure, display a list of remote user accounts.
  2. In the user-account list, find the user account you want to view and click the account name.
    This displays the properties of that user account.
  3. Note: The only properties displayed for a remote user account are the account name, the user role assigned to the account, the account's partition access, and the account's terminal access.

Deleting authorization for an individual user account

When you use the Configuration utility to delete a remote user account, you are not actually deleting the account from the remote server. Instead, you are changing the values of the user's authorization properties back to the default values. For more information on default authorization values, see Understanding default remote-account authorization .

To delete authorization for an individual user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all standard user accounts.
  2. Locate an account name in the list and click the corresponding Select box.
  3. Click Delete.
    A confirmation page appears.
  4. Click Delete.
Note

To delete a remote user account altogether, follow the instructions provided by the server vendor.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)