One of the features of the BIG-IP®
system is its ability to authenticate local administrative traffic when user accounts are stored on a remote LDAP, RADIUS, or TACACS+ server. In fact, the BIG-IP system allows you to configure the use of not just one, but two remote servers for authenticating local administrative traffic. For most customers, this ability to configure one or two remote authentication servers is more than sufficient. However, there are two potential issues:
To solve these problems, you can create virtual authentication servers. A virtual authentication server
is a virtual server that you configure to act as an additional remote LDAP, RADIUS, or TACACS+ server. You can configure as many virtual authentication servers as you need.
The remainder of this chapter describes how to successfully create a
multiple authentication server configuration. For example purposes only, the information is written for RADIUS servers, but it applies to LDAP or TACACS+ servers also, except for some minor differences: If your servers are LDAP or TACACS+ servers, any information about RADIUS secrets does not apply. Also, you should replace any mention of a RADIUS configuration object with an LDAP or TACACS+ configuration object. Finally, you can ignore any information that pertains to a RADIUS server object.
To create a multiple RADIUS server configuration, you need to configure a
few local-traffic objects. Table 27.1
shows these objects, as well as the Configuration utility screens you use to create these objects. Note that the screens are all available in the Configuration utility from Main tab, under Local Traffic
For additional information on using these screens, see the online help.
shows relevant sample entries in the bigip.conf
As seen in Figure 27.1
, you configure these BIG-IP system objects:
Once you have added entries to the bigip.conf
file that are similar to those in the above example, you can use the virtual server as a virtual remote authentication server.