An important part of managing the BIG-IP system is creating and managing user accounts for BIG-IP system administrators. By creating user accounts for system administrators, you provide additional layers of security. User accounts ensure that the system:
To enable user authentication and authorization, you assign passwords and user roles to your user accounts. Passwords allow you to authenticate your users when they attempt to log in to the BIG-IP system. User roles allow you to control user access to BIG-IP system resources.
You can create and store BIG-IP administrative accounts either locally on the BIG-IP system, or remotely on a separate authentication server. If you want your user accounts to reside locally on the BIG-IP system, you create those user accounts on the BIG-IP system and assign user roles to them.
If you want your user accounts to reside remotely on a separate authentication server, you do not use the BIG-IP system to create the accounts. Instead, you use the mechanism provided by the server vendor, and you use the BIG-IP system strictly to assign user roles to those remote accounts and to maintain those user role assignments over time. The types of servers that you can use to remotely store BIG-IP system user accounts are:
There are two types of user accounts on the BIG-IP system: The system maintenance account and a set of standard user accounts.
You are not required to have any user accounts other than the root and admin accounts, but F5 Networks recommends that you create other user accounts, as a way to intelligently control administrator access to system resources.
When you create configurable objects for the BIG-IP system, you have the option of putting those objects into administrative partitions. An administrative partition is a logical container of BIG-IP system objects such as virtual servers, pools, and monitors. When you first install the BIG-IP system, a default partition already exists named Common.
By putting objects into partitions, you establish a finer granularity of access control. Rather than having control over all resources on the BIG-IP system or no resources whatsoever, users with certain permissions can control resources within a designated partition only. For example, users with the role of Operator can mark nodes up or down, but can only mark those nodes that reside within their designated partition.
User accounts are another type of object that you can put into a partition. You put user accounts into administrative partitions strictly for the purpose of giving other users administrative access to those accounts. For example, you can put user accounts into partition B, and then assign a set of permissions (known as a user role) to user Jane so that she is allowed to modify user accounts in partition B.
Each user account on the BIG-IP system has a property known as Partition Access. The Partition Access property defines the partitions that the user can access. A user account can have access to either one partition or all partitions. Access to all partitions is known as universal access.
This figure shows how partition access can differ for different user accounts on the BIG-IP system.
In this example, the BIG-IP system objects reside in multiple partitions. Note that user accounts are also a type of BIG-IP system object, and as such, reside in a partition named Users. (Although you are not required to group user accounts together in a separate partition, for security purposes F5 Networks highly recommends that you do so.)
To continue with the example, each user account in partition Users has access to specific, but different, partitions. Note that user accounts sjones, cjohnson, and gnelson can access one partition only, while the tbrown account has universal access.
To summarize, an administrative partition defines a set of objects, including user accounts, that other administrative users can potentially manage. This gives computing organizations greater control over user access to specific objects on the BIG-IP system.
User roles are a means of controlling user access to BIG-IP system resources. You assign a user role to each administrative user, and in so doing, you grant the user a set of permissions for accessing BIG-IP system resources.
The BIG-IP system offers several different user roles that you can choose from when assigning a role to an administrative user. A user role is a property of a user account. Each user role grants a different set of permissions. More specifically, a user role defines:
This table lists and describes the various user roles that you can assign to a user account.
|Administrator||This role grants users complete access to all partitioned and non-partitioned objects on the system. In addition, accounts with the Administrator role can change their own passwords.|
|Resource Administrator||This role grants users complete access to all partitioned and non-partitioned objects on the system, except user account objects. In addition, accounts with the Resource Administrator role can change their own passwords.|
|User Manager||Users with the User Manager role that have access to all partitions can create,
modify, delete, and view all user accounts except those that are assigned the
Administrator role, or the User Manager role with different partition access. Accounts
with the User Manager role that have access to all partitions can also change their
Users with the User Manager role that have access only to a single partition can create, modify, delete, and view only those user accounts that are in that partition and that have access to that partition only. For example, if your user account has a User Manager role and has access to Partition A only, then you can manage only those user accounts that both reside in and have access to Partition A only.
User accounts with the User Manager role can change their own passwords.
|Manager||This role grants users permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRules®. These users can view all objects on the system and change their own passwords.|
|Certificate Manager||This role grants users permission to manage device certificates and keys, as well as perform Federal Information Processing Standard (FIPS) operations.|
|iRule Manager||This role grants users permission to create, modify, and delete iRules. Users with this role cannot affect the way that an iRule is deployed. For example, a user with this role can create an iRule but cannot assign it to a virtual server or move the iRule from one virtual server to another. A user with this role can be assigned universal access to administrative partitions.|
|Application Editor||This role grants users permission to modify nodes, pools, pool members, and monitors. These users can view all objects on the system and change their own passwords.|
|Acceleration Policy Editor||This role allows users to view, create, modify, and delete all WebAccelerator™ policy objects in all administrative partitions. Users can also view, create, update, and delete Web Acceleration profiles.|
|Application Security Administrator||This role grants a user access to all Application Security Managersecurity policy objects on the BIG-IP system. These users have read-only permission for these profile types: HTTP, FTP, and SMTP. These users have no access to other LTM objects, nor to any TMOS objects. They can, however, change their own passwords. With respect to security policy objects, this role is similar to the Administrator role. You can assign this role only when the BIG-IP system includes the BIG-IP Application Security Manager component.|
|Web Application Security Editor||
This role allows a user to configure or view most parts of the Application Security Manager component, in a specified administrative partition only. Specifically, these users have limited access to LTM objects, namely read-only permission for these profile types: HTTP, FTP, and SMTP.
These users have no access to other LTM objects, nor to any TMOS objects. They can, however, change their own passwords.
You can assign this role only when the BIG-IP system includes the Application Security Manager component.
|Operator||This role grants users permission to enable or disable nodes and pool members. These users can view all objects and change their own passwords.|
|Auditor||This role grants users permission to view all configuration data on the system, including logs and archives. Users with this role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords.|
|Guest||This role grants users permission to view all objects on the system except for sensitive data such as logs and archives. Users with this role can change their own passwords.|
|No Access||This role prevents users from accessing the system.|
The BIG-IP system automatically assigns a user role to an account when you create that account. The user role that the system assigns to a user account by default depends on the type of account:
A user role defines the access level that a user has for each object in the user’s assigned partition. An access level refers to the type of task that a user can perform on an object. Possible access levels are:
Managing local user accounts refers to the tasks of creating, viewing, modifying, and deleting user accounts that reside on the BIG-IP system, using the browser-based Configuration utility.
The Configuration utility stores local user accounts (including user names, passwords, and user roles) in a local user-account database. When a user logs in to the BIG-IP system using one of these locally-stored accounts, the BIG-IP system checks the account to determine the user role assigned to that user account.
A user account called admin resides on every BIG-IP system. Although the BIG-IP system creates this account automatically, you must still assign a password to the account before you can use it. To initially set the password for the admin account, you must run the Setup utility. To change its password later, you use the Configuration utility’s Users screens.
The admin account resides in the local user account database on the BIG-IP system. By default, the BIG-IP system assigns the Administrator user role, which gives the user of this account full access to all BIG-IP system resources. You cannot change the user role on this account.
The BIG-IP system includes an optional administrative feature: a security policy for creating passwords for local BIG-IP system user accounts. A secure password policy ensures that BIG-IP system users who have local user accounts create and maintain passwords that are as secure as possible.
The secure password policy feature includes two distinct types of password restrictions:
The password policy feature affects passwords for local user accounts only. Passwords for remotely-stored user accounts are not subject to this local password policy, but might be subject to a separate password policy defined on the remote system.
This table lists and describes the settings for a password policy.
|Secure Password Enforcements||Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the Configuration utility displays the Minimum Length and Required Characters settings.||Disabled|
|Minimum Length||Specifies the minimum number of characters required for a password, and the
allowed range of values is 6 to 255.
This setting appears only when you enable the Secure Password
Important: Any user account with the Administrator role assigned to it (including the root and admin accounts) is not subject to the restrictions imposed by this setting.
|Required Characters||Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is 0 to 127. This setting appears only when you enable the Secure Password Enforcement setting.
Important: Important: Any user account with the Administrator role assigned to it (including the root and admin accounts) is not subject to the restrictions imposed by this setting.
|Password Memory||Specifies, for each user account, the number of former passwords that the BIG-IP system retains to prevent the user from re-using a recent password. The range of allowed values is 0 to 127.||0|
|Minimum Duration||Specifies the minimum number of days before a user can change a password. The range of allowed values is 0 to 255.||0|
|Maximum Duration||Specifies the maximum number of days that a user's password can be valid. The range of allowed values is 1 to 99999. This setting applies to all user accounts.||99999|
|Expiration Warning||Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is 1 to 255. This setting applies to all user accounts.||7|
|Maximum Login Failures||Denies access to a user after the specified number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user.||0|
You can deny access to a user after a specified number of failed authentication attempts. You can then reset the lock to re-enable access for the user.
To set the maximum number of failures before user lockout, use the BIG-IP Configuration utility to locate the Users screen, and then navigate to the Authentication screen. You can then specify a value for the Maximum Login Failures setting.
If a user becomes locked out, you can use the Unlock button on the User List screen to unlock the user.
When you create a local user account, you must give the account a name and a password. You must also set the user role, either by retaining the default user role or by assigning a new one. The default user role for local, non-system maintenance accounts is No Access.
Only users who have been granted the Administrator or User Manager role can create user accounts. If the user role assigned to your account is Administrator, you can create a user account in any partition on the system. If the user role assigned to your account is User Manager, you can create a user account in any partition to which you have access.
This table lists and describes the properties that define a local BIG-IP user account.
|User Name||Specifies the name of the user account. The BIG-IP system is case-sensitive, which means that names such as JONES and Jones are treated as separate user accounts.||No default value|
|Partition||When viewing the properties of an existing user account, displays the name of the partition in which the user account resides. All partitionable BIG-IP system objects (including user account objects) have the Partition property. Note that you cannot edit the value of this setting.||No default value|
|Password||Specifies a password that the user will use to log in to the BIG-IP system.||No default value|
|Role||Specifies the user role that you want to assign to the user account.||No Access|
|Partition Access||Specifies the partition to which the user has access when logged on to the BIG-IP system. If you have permission to do so, you can assign this value to a new user account, or change this value on an existing user account. This setting appears only when the user role for the account is not Administrator. (Accounts with the Administrator role always have universal partition access, that is, access to all partitions.)||All|
|Terminal Access||Specifies the level of access to the BIG-IP system command line interface. Possible values are: Disabled and Advanced shell. Users with the Administrator or Resource Administrator role assigned to their accounts can have advanced shell access, that is, permission to use all BIG-IP system command line utilities, as well as any Linux commands.||Disabled|
Using the Configuration utility, you can easily display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator or User Manager roles can view the settings of other user accounts.
If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP system, in any partition. If the user role assigned to your account is User Manager, you can view any user account in any partition to which you have access on the BIG-IP system.
To summarize, depending on their own partition access, users with a User Manager role can do some or all of the following:
You use the Configuration utility to modify the properties of any existing local user account, other than the root account. When modifying user accounts, consider the following:
If you have an Administrator user role, you can also change some properties of the root account. Specifically, you can change the password of the root account, and you can enable or disable access to the BIG-IP system through SSH.
If the account you are using has the Administrator or User Manager user role, you can delete other local user accounts. A user with the Administrator role can delete any user account on the BIG-IP system in any partition. A user with the User Manager role can delete user accounts on the BIG-IP system in only those partitions to which she has access.
When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system.
Rather than store user accounts locally on the BIG-IP system, you can store them on a remote authentication server. In this case, you create all of your standard user accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server’s vendor.
Once you have created each user account on the remote server, you can then use the BIG-IP system to assign authorization properties (user role, partition access, and terminal access) for each account, for the purpose of controlling user access to BIG-IP system resources.
The Configuration utility stores all local and remote access control information in the BIG-IP system’s local user-account database. When a user whose account information is stored remotely logs into the BIG-IP system and is granted authentication, the BIG-IP system then checks its local database to determine the access control properties that you assigned to that user.
One of the tasks you perform with the Configuration utility is to specify the type of remote user-account server that currently stores your remote user accounts. The available server types that you can specify are:
When you specify the type of remote server, you can also configure some server settings. For example, you can specify the user role you would like the BIG-IP system to assign to a remote account if you do not explicitly assign one.
Once you have configured the remote server, if you want any of the remote accounts to have a non-default user role, you can explicitly assign a user role to those accounts.
If the remote authentication server is an Active Directory or LDAP server and is set up to authenticate SSL traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary steps you must perform to prepare for remote authentication using SSL.
You create BIG-IP system user accounts on your remote server using the mechanism provided by the vendor of your remote server. Then you use the Configuration utility to specify the remote authentication server that you are using to store those BIG-IP system user accounts. (Valid remote authentication servers for storing BIG-IP system user accounts are Active Directory, LDAP, RADIUS, and TACACS+.)
Once you have used the Configuration utility to specify the remote authentication server, you can configure authorization properties for the remote BIG-IP system user accounts. Specifically, you can do the following:
The Authentication screen that you used to specify the type of remote authentication server also includes some default authorization values (for the Role, Partition Access, and Terminal Access settings). Therefore, if you do not explicitly configure these authorization settings for an individual BIG-IP system user account, the BIG-IP system assigns the default values to that account. This ensures that all remote user accounts have valid authorization settings assigned to them.
The default values for the Role, Partition Access, and Terminal Access settings are as follows:
When you use these default values for a user account, the user account appears in the list of BIG-IP user accounts as Other External Users.
You can change the values that the BIG-IP system automatically uses as the default values for theRole, Partition Access, and Terminal Access settings.
To change the default authorization properties for remote user accounts, you configure the Role, Partition Access, and Terminal Access settings on the same Authentication screen that you used to specify the type of remote authentication server you are using.
Note that you can sometimes inadvertently affect your own user account, if the BIG-IP system is configured to perform remote user authentication, and you or another system administrator changes the default role or partition assigned to all external user accounts:
You do not use the Configuration utility to create remote user accounts (user name and password) for the BIG-IP system. Instead, you create those user accounts on the remote server, using the mechanism provided by the remote server vendor. For authorization (access control) data, however, if you have the Administrator role assigned to your own user account, you can use the Configuration utility to explicitly assign access control properties to existing remote accounts.
Remote user account names do not appear in the Configuration utility on the User List screen. Therefore, to assign non-default authorization properties to an existing remote account, you must simulate the creation of a new account on the BIG-IP system, configuring the User Name setting with the precise name of the existing remote account. You then configure the other properties on the Create screen as well. In this way, you assign authorization properties to an existing remote user account.
Use these procedures to assign non-default authorization properties to, or delete them from an existing remote user account.
Sometimes you might want to change the user role, partition access, and terminal access that you previously assigned to a remote account. To do so, you must change the properties of that account by clicking the account name on the User List screen. Only those remote user accounts to which you have explicitly assigned a user role appear in the list of user accounts.
Remote user accounts that simply inherit the default user role (configured when you specified the remote authentication server) appear in the list of remote user accounts under the name Other External Users.
When you use the Configuration utility to delete a remote user account, you are not actually deleting the account from the remote server. Instead, you are changing the values of the user’s authorization properties back to the default values.
If you want to assign the same non-default access control properties to a group of remotely-stored user accounts, you can use the remote role groups feature. This feature stores all access control information on a group-wide basis for remotely-stored user accounts.
After using the remote role groups feature, you can propagate that access-control information to all BIG-IP devices on the network, using the single configuration file (SCF) feature. The remote role groups feature, combined with the SCF feature, removes the need to manually assign access control properties to each individual BIG-IP user within a group, on each BIG-IP device on your network.
You can access the remote role groups feature by logging into the BIG-IP Configuration utility and navigating to.
This table lists the allowed values for a variable that you use for defining a role for a remotely-stored user account.
|Application Security Policy Editor||800|
When you initially configure a remote server for authentication of BIG-IP system users, all remote user accounts have access to the Common partition. If you want a specific remote account to have access to a partition other than Common, you can specify a different partition when you configure the authorization properties for that account. Remote accounts that have the Administrator user role assigned to them automatically have full access to all partitions on the BIG-IP system.
Using the Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the list of remote user accounts.
Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.
The BIG-IP system generates a log message whenever a user or an application attempts to log in to or log out of the system. The system logs both successful and unsuccessful login attempts. The system stores these log messages in the /var/log/secure file.
When the system logs an authentication message in the /var/log/secure file, the message can contain the following types of information: