Applies To:

Show Versions Show Versions

Manual Chapter: Users
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Purpose of BIG-IP user accounts

An important part of managing the BIG-IP system is creating and managing user accounts for BIG-IP system administrators. By creating user accounts for system administrators, you provide additional layers of security. User accounts ensure that the system:

  • Verifies the identity of users logging into the system (authentication)
  • Controls user access to system resources (authorization)

To enable user authentication and authorization, you assign passwords and user roles to your user accounts. Passwords allow you to authenticate your users when they attempt to log in to the BIG-IP system. User roles allow you to control user access to BIG-IP system resources.

You can create and store BIG-IP administrative accounts either locally on the BIG-IP system, or remotely on a separate authentication server.

User account types

There are two types of user accounts on the BIG-IP system: The system maintenance account and a set of standard user accounts.

The system maintenance account
The system maintenance account is a user account that you maintain using the Setup utility. The name of the system maintenance account is root. This account resides locally on the BIG-IP system and grants full access to BIG-IP system resources. You configure and maintain this account using the Setup utility and the BIG-IP Configuration utility, respectively.
Standard user accounts
Standard user accounts are user accounts that you create for other BIG-IP system administrators to use. Standard user accounts can reside either locally on the BIG-IP system, or remotely on a remote authentication server. You create and maintain these accounts using the browser-based BIG-IP Configuration utility or the command line interface. Creating standard user accounts allows you to assign various user roles to those accounts as a way to control system administrator access to BIG-IP system resources. A special standard user account is the admin account, which automatically exists on any BIG-IP system.
Note: Excluding the admin account, the entire set of standard user accounts that you create for BIG-IP system administrators must reside either locally on the BIG-IP system, or remotely on another type of authentication server.

You are not required to have any user accounts other than the root and admin accounts, but F5 Networks recommends that you create other user accounts, as a way to intelligently control administrator access to system resources.

What are user roles?

User roles are a means of controlling user access to BIG-IP system resources. You assign a user role to each administrative user, and in so doing, you grant the user a set of permissions for accessing BIG-IP system resources.

The BIG-IP system offers several different user roles that you can choose from when assigning a role to an administrative user. A user role is a property of a user account. Each user role grants a different set of permissions. More specifically, a user role defines:

The resources that a user can manage
User roles define the types of resources, or objects, that a user can manage. For example, a user with the role of Operator can enable or disable nodes and pool members only. By contrast, a user with the Guest role cannot manage any BIG-IP system resources.
The tasks that a user can perform
For example, a user with the role of Operator can enable or disable nodes and pool members, but cannot create, modify, or delete them. Conversely, a user with the Manager role can perform all tasks related to partitioned objects (except for user accounts), including nodes and pool members.
Important: A role defines the type of objects that a user can manage and the tasks that a user can perform on those object types. A role does not define the set of specific, existing objects that the user can access.

User roles on the BIG-IP system

This table lists and describes the various user roles that you can assign to a user account.

User role Description
Administrator This role grants users complete access to all partitioned and non-partitioned objects on the system. In addition, accounts with the Administrator role can change their own passwords.
Resource Administrator This role grants users complete access to all partitioned and non-partitioned objects on the system, except user account objects. In addition, accounts with the Resource Administrator role can change their own passwords.
User Manager Users with the User Manager role that have access to all partitions can create, modify, delete, and view all user accounts except those that are assigned the Administrator role, or the User Manager role with different partition access. Accounts with the User Manager role that have access to all partitions can also change their own passwords. Users with the User Manager role that have access only to a single partition can create, modify, delete, and view only those user accounts that are in that partition and that have access to that partition only. For example, if your user account has a User Manager role and has access to Partition A only, then you can manage only those user accounts that both reside in and have access to Partition A only. User accounts with the User Manager role can change their own passwords.
Manager This role grants users permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRules®. These users can view all objects on the system and change their own passwords.
Certificate Manager This role grants users permission to manage device certificates and keys, as well as perform Federal Information Processing Standard (FIPS) operations.
iRule Manager This role grants users permission to create, modify, and delete iRules. Users with this role cannot affect the way that an iRule is deployed. For example, a user with this role can create an iRule but cannot assign it to a virtual server or move the iRule from one virtual server to another. A user with this role can be assigned universal access to administrative partitions.
Application Editor This role grants users permission to modify nodes, pools, pool members, and monitors. These users can view all objects on the system and change their own passwords.
Acceleration Policy Editor This role allows users to view, create, modify, and delete all WebAccelerator™ policy objects in all administrative partitions. Users can also view, create, update, and delete Web Acceleration profiles.
Firewall Manager This role allows users complete access to all firewall rules and supporting objects, including rules in all contexts, address lists, port lists, and schedules; security logging profiles and supporting objects, including log publishers and destinations; IP intelligence and DoS profiles; association rights for all of the above security profiles to virtual servers; and DoS Device Configuration (the L2-L4 DoS protection configuration). Firewall Managers may be granted access on all partitions or a single partition. Since global and management port rules are defined in Common, only Firewall Managers with rights on Common are allowed to modify global and management port rules. Firewall Managers have no create, update, or delete rights to any other objects, but otherwise have the same read access as the Manager role. Notably, the Firewall Manager role has no permission to create, update, or delete non-network firewall configuration, including Application Security or Protocol Security policies.
Web Application Security Administrator This role grants users access to Application Security Manager™ security policy objects, in one or all administrative partitions. These users have read-only permission for these profile types: HTTP, FTP, and SMTP. These users have no access to other LTM objects, nor to any TMOS objects. They can, however, change their own passwords. With respect to security policy objects, this role is similar to the Administrator role. You can assign this role only when the BIG-IP system includes the Application Security Manager component.
Web Application Security Editor These users have no access to other LTM objects, nor to any TMOS objects. They can, however, change their own passwords. You can assign this role only when the BIG-IP system includes the Application Security Manager component.
Operator This role grants users permission to enable or disable nodes and pool members. These users can view all objects and change their own passwords.
Auditor This role grants users permission to view all configuration data on the system, including logs and archives. Users with this role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords.
Guest This role grants users permission to view all objects on the system except for sensitive data such as logs and archives. Users with this role can change their own passwords.
No Access This role prevents users from accessing the system.

Default user roles

The BIG-IP system automatically assigns a user role to an account when you create that account. The user role that the system assigns to a user account by default depends on the type of account:

root and admin accounts
The BIG-IP system automatically assigns the Administrator user role to the system maintenance root account and the admin account. You cannot change this user-role assignment. Thus, any user who successfully logs into the BIG-IP system using the root or admin account has full access to system resources and can perform all administrative tasks.
Other user accounts
The BIG-IP system automatically assigns the No Access user role to all standard user accounts other than the root and admin accounts. If the user account you are using has the Administrator role assigned to it, you are allowed to change another account’s user role from the default No Access role to any other user role, including Administrator. For remote user accounts, if you know that most of your administrative users need some amount of access to BIG-IP system resources, you can configure the BIG-IP system to use a role other than No Access as the default user role.

Administrative partitions

When you create configurable objects for the BIG-IP system, you have the option of putting those objects into administrative partitions. An administrative partition is a logical container of BIG-IP system objects such as virtual servers, pools, and monitors. When you first install the BIG-IP system, a default partition already exists named Common.

By putting objects into partitions, you establish a finer granularity of access control. Rather than having control over all resources on the BIG-IP system or no resources whatsoever, users with certain permissions can control resources within a designated partition only. For example, users with the role of Operator can mark nodes up or down, but can only mark those nodes that reside within their designated partition.

User accounts are another type of object that you can put into a partition. You put user accounts into administrative partitions strictly for the purpose of giving other users administrative access to those accounts. For example, you can put user accounts into partition B, and then assign a set of permissions (known as a user role) to user Jane so that she is allowed to modify user accounts in partition B.

Each user account on the BIG-IP system has a property known as Partition Access. The Partition Access property defines the partitions that the user can access. A user account can have access to either one partition or all partitions. Access to all partitions is known as universal access.

This figure shows how partition access can differ for different user accounts on the BIG-IP system.

partition access property for user accounts The Partition Access property for user accounts

In this example, the BIG-IP system objects reside in multiple partitions. Note that user accounts are also a type of BIG-IP system object, and as such, reside in a partition named Users. (Although you are not required to group user accounts together in a separate partition, for security purposes F5 Networks highly recommends that you do so.)

To continue with the example, each user account in partition Users has access to specific, but different, partitions. Note that user accounts sjones, cjohnson, and gnelson can access one partition only, while the tbrown account has universal access.

To summarize, an administrative partition defines a set of objects, including user accounts, that other administrative users can potentially manage. This gives computing organizations greater control over user access to specific objects on the BIG-IP system.

Effect of user roles on objects within partitions

A user role defines the access level that a user has for each object in the user’s assigned partition. An access level refers to the type of task that a user can perform on an object. Possible access levels are:

Write
Grants full access: that is, the ability to create, modify, enable and disable, and delete an object.
Update
Grants the ability to modify, enable, and disable an object.
Enable/disable
Grants the ability to enable or disable an object.
Read
Grants the ability to view an object.

Local user account management

Managing local user accounts refers to the tasks of creating, viewing, modifying, and deleting user accounts that reside on the BIG-IP system, using the browser-based BIG-IP Configuration utility.

The BIG-IP Configuration utility stores local user accounts (including user names, passwords, and user roles) in a local user-account database. When a user logs in to the BIG-IP system using one of these locally-stored accounts, the BIG-IP system checks the account to determine the user role assigned to that user account.

Important: Only users with the role of Administrator or User Manager can create and manage local user accounts. However, users with any role can change their own passwords. Also, if a user with a local user account is logged in to the BIG-IP system, and you subsequently switch the system from local authentication to remote authentication, the local user remains authenticated until the user’s login session terminates.

Admin account configuration

A user account called admin resides on every BIG-IP system. Although the BIG-IP system creates this account automatically, you must still assign a password to the account before you can use it. To initially set the password for the admin account, you must run the Setup utility. To change its password later, you use the BIG-IP Configuration utility’s Users screens.

The admin account resides in the local user account database on the BIG-IP system. By default, the BIG-IP system assigns the Administrator user role, which gives the user of this account full access to all BIG-IP system resources. You cannot change the user role on this account.

About secure password policy configuration

The BIG-IP system includes an optional administrative feature: a security policy for creating passwords for local BIG-IP system user accounts. A secure password policy ensures that BIG-IP system users who have local user accounts create and maintain passwords that are as secure as possible.

The secure password policy feature includes two distinct types of password restrictions:

Enforcement restrictions
These are, specifically, character restrictions that you can enable or disable. They consist of the minimum password length and the required character types (numeric, uppercase, lowercase, and other kinds of characters). When enabled, the BIG-IP system never enforces restrictions on user accounts that have the Administrator role assigned to them. Consequently, a user with Administrator permissions does not need to adhere to these restrictions when either changing his or her own password, or changing the passwords of other user accounts.
Policy restrictions
These restrictions represent the minimum and maximum lengths of time that passwords can be in effect. Also included in this type of policy restriction are the number of days prior to password expiration that users are warned, and the number of previous passwords that the BIG-IP system should store, to prevent users from re-using former passwords. These restrictions are always enabled, although using the default values provides a minimal amount of restriction.
Note: The value of the Maximum Duration setting determines when users receive warning messages to change their passwords. If you change the value of this setting, any subsequent warning messages that users receive indicate the previous maximum duration value, rather than the new value. Once a user changes the password, however, subsequent reminder messages show the new value.

The password policy feature affects passwords for local user accounts only. Passwords for remotely-stored user accounts are not subject to this local password policy, but might be subject to a separate password policy defined on the remote system.

Important: You must have the user role of Administrator assigned to your account to configure this feature.

Configuration settings for a secure password policy

This table lists and describes the settings for a password policy.

Setting Description Default value
Secure Password Enforcements Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the BIG-IP Configuration utility displays the Minimum Length and Required Characters settings. Disabled
Minimum Length Specifies the minimum number of characters required for a password, and the allowed range of values is 6 to 255. This setting appears only when you enable the Secure Password Enforcement setting. 6
Required Characters Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is 0 to 127. This setting appears only when you enable the Secure Password Enforcement setting. 0
Password Memory Specifies, for each user account, the number of former passwords that the BIG-IP system retains to prevent the user from re-using a recent password. The range of allowed values is 0 to 127. 0
Minimum Duration Specifies the minimum number of days before a user can change a password. The range of allowed values is 0 to 255. 0
Maximum Duration Specifies the maximum number of days that a user's password can be valid. The range of allowed values is 1 to 99999. This setting applies to all user accounts. 99999
Expiration Warning Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is 1 to 255. This setting applies to all user accounts. 7
Maximum Login Failures Denies access to a user after the specified number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user. 0

Configuring a password policy for administrative users

Use this procedure to require BIG-IP system users to create strong passwords and to specify the maximum number of BIG-IP login failures that the system allows before the user is denied access.
  1. On the Main tab, click System > Users.
  2. On the menu bar, click Authentication.
  3. From the Secure Password Enforcement list, select Enabled. Additional settings appear on the screen.
  4. For the Minimum Length and Required Characters settings, configure the default values, according to your organization's internal security requirements.
  5. In the Maximum Login Failures field, specify a number. If the user fails to log in the specified number of times, the user is locked out of the system. Therefore, F5 Networks recommends that you specify a value that allows for a reasonable number of login failures before user lockout.
  6. Click Update.

User authentication lockout

You can deny access to a user after a specified number of failed authentication attempts. You can then reset the lock to re-enable access for the user.

To set the maximum number of failures before user lockout, use the BIG-IP Configuration utility to locate the Users screen, and then navigate to the Authentication screen. You can then specify a value for the Maximum Login Failures setting.

If a user becomes locked out, you can use the Unlock button on the User List screen to unlock the user.

Local user account creation

Properties of a local BIG-IP system user account

This table lists and describes the properties that define a local BIG-IP user account.

Property Description Default Value
User Name Specifies the name of the user account. The BIG-IP system is case-sensitive, which means that names such as JONES and Jones are treated as separate user accounts. No default value
Partition When viewing the properties of an existing user account, displays the name of the partition in which the user account resides. All partitionable BIG-IP system objects (including user account objects) have the Partition property. Note that you cannot edit the value of this setting. No default value
Password Specifies a password that the user will use to log in to the BIG-IP system. No default value
Role Specifies the user role that you want to assign to the user account. No Access
Partition Access Specifies the partition to which the user has access when logged on to the BIG-IP system. If you have permission to do so, you can assign this value to a new user account, or change this value on an existing user account. This setting appears only when the user role for the account is not Administrator. (Accounts with the Administrator role always have universal partition access, that is, access to all partitions.) All
Terminal Access Specifies the level of access to the BIG-IP system command line interface. Possible values are: Disabled and Advanced shell. Users with the Administrator or Resource Administrator role assigned to their accounts can have advanced shell access, that is, permission to use all BIG-IP system command line utilities, as well as any Linux commands. Disabled

Creating a local user account

You perform this task to create a local user account for BIG-IP administrative users. Only users who have been granted the Administrator or User Manager role can create user accounts. If the user role assigned to your account is Administrator, you can create a user account in any partition on the system. If the user role assigned to your account is User Manager, you can create a user account in any partition to which you have access.

Note: User accounts on the BIG-IP system are case-sensitive. Thus, the system treats user accounts such as JONES and Jones as two separate user accounts. Note, however, that certain user names, such as admin, are reserved, and are therefore exempt from case-sensitivity. For example, you cannot create a user account named Admin, aDmin, or ADMIN.
  1. On the Main tab, click System > Users.
  2. Using the Partition list in the upper-left corner of the screen, select the name of the partition in which you want the new user account to reside.
    Important: The partition you select in this step is not the partition to which you want the new user account to have access. Instead, this selection specifies the partition in which you want the new user account to reside. To grant partition access to a user, you configure the Partition Access property on the New User screen.
  3. In the upper right corner of the screen, click Create. The New User screen opens. If the Create button is unavailable, you do not have permission to create a local user account. You must have the Administrator or User Manager role assigned to your user account in order to create a local user account.
  4. In the User Name box, type a name for the user account.
  5. For the Password setting, type and confirm a password for the account.
  6. To grant an access level other than No Access (the default value), use the Role setting and select a user role.
  7. From the Partition Access list, select a partition name or All.
    Note: For user accounts to which you assign the Administrator or Resource Administrator role, this setting is hidden because the value is automatically set to All. You cannot change the Partition Access setting for a user with the Administrator or Resource Administrator role.
  8. If you want to allow user access to the command line interface, then from the Terminal Access list, select a level of access.
    Note: The advanced shell is only available for accounts with the Administrator or Resource Administrator user role.
  9. Click Finished.

Local user account view

Using the BIG-IP Configuration utility, you can easily display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator or User Manager roles can view the settings of other user accounts.

If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP system, in any partition. If the user role assigned to your account is User Manager, you can view any user account in any partition to which you have access on the BIG-IP system.

To summarize, depending on their own partition access, users with a User Manager role can do some or all of the following:

  • Change another user’s password
  • Change another user’s user role
  • Change the partition in which the user can access objects (applies only to users who have both a User Manager role and access to all partitions)
  • Enable or disable terminal access

Displaying a list of local user accounts

Using the BIG-IP Configuration utility, you can easily display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator or User Manager roles can view the settings of other user accounts.

If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP system, in any partition. If the user role assigned to your account is User Manager, you can view any user account in any partition to which you have access on the BIG-IP system.

To summarize, depending on their own partition access, users with a User Manager role can do some or all of the following:

  • Change another user’s password
  • Change another user’s user role
  • Change the partition in which the user can access objects (applies only to users who have both a User Manager role and access to all partitions)
  • Enable or disable terminal access
  1. On the Main tab, click System > Users.
  2. View the list of user accounts.

Viewing the properties of a local user account

Using the BIG-IP Configuration utility, you can easily display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator or User Manager roles can view the settings of other user accounts.

If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP system, in any partition. If the user role assigned to your account is User Manager, you can view any user account in any partition to which you have access on the BIG-IP system.

To summarize, depending on their own partition access, users with a User Manager role can do some or all of the following:

  • Change another user’s password
  • Change another user’s user role
  • Change the partition in which the user can access objects (applies only to users who have both a User Manager role and access to all partitions)
  • Enable or disable terminal access
  1. On the Main tab, click System > Users.
  2. In the user-account list, find the user account you want to view and click the account name. This displays the properties of that user account.

Local user account modification

You use the BIG-IP Configuration utility to modify the properties of any existing local user account, other than the root account. When modifying user accounts, consider the following:

  • Only users who have been granted either the Administrator or User Manager role can modify user accounts other than their own account.
  • A user with the User Manager role can modify only those accounts that reside in the partition to which that user has access. For example, if user nelson has a User Manager role and has access to partition B only, he can modify only those user accounts that reside in partition B. Even in this case, however, for user accounts in partition B, user nelson cannot modify a user’s Partition Access property. If, however, user nelson has a User Manager role and has access to all partitions, he can modify all user accounts on the system. This includes changing another user’s Partition Access property.
  • Users with any role but No Access can modify their own user accounts to change the password. These users cannot modify any other properties of their own user accounts.
    Note: When a user changes his own password, the system automatically logs the user off of the BIG-IP Configuration utility. The system then requires the user to use the new password for subsequent logins. This behavior applies even when the new password matches the old password.
  • Users with the role of User Manager can modify all of the properties of their own user accounts, except their user role and partition access.

If you have an Administrator user role, you can also change some properties of the root account. Specifically, you can change the password of the root account, and you can enable or disable access to the BIG-IP system through SSH.

Warning: The Administrator user role provides access to the BIG-IP system prompt. If a user with the Administrator user role is currently logged on to the system, and you change the user role to a role other than Administrator or Resource Administrator, the user can still run commands at the BIG-IP system prompt until he or she logs off of the system.

Modifying the properties of a local user account

You use the BIG-IP Configuration utility to modify the properties of any existing local user account, other than the root account. When modifying user accounts, consider the following:

  • Only users who have been granted either the Administrator or User Manager role can modify user accounts other than their own account.
  • A user with the User Manager role can modify only those accounts that reside in the partition to which that user has access. For example, if user nelson has a User Manager role and has access to partition B only, he can modify only those user accounts that reside in partition B. Even in this case, however, for user accounts in partition B, user nelson cannot modify a user’s Partition Access property. If, however, user nelson has a User Manager role and has access to all partitions, he can modify all user accounts on the system. This includes changing another user’s Partition Access property.
  • Users with any role but No Access can modify their own user accounts to change the password. These users cannot modify any other properties of their own user accounts.
    Note: When a user changes his own password, the system automatically logs the user out of the BIG-IP Configuration utility. The system then requires the user to use the new password for subsequent logins. This behavior applies even when the new password matches the old password.
  • Users with the role of User Manager can modify all of the properties of their own user accounts, except their user role and partition access.
  1. On the Main tab, click System > Users.
  2. In the user-account list, click a user account name. This displays the properties of that account.
  3. Change one or more of these settings: Password, role, partition access, or terminal access.
  4. Click Update.
    Warning: The Administrator user role provides access to the BIG-IP system command prompt. If a user with the Administrator user role is currently logged on to the system, and you change the user role to a role other than Administrator or Resource Administrator, the user can still run commands at the BIG-IP system prompt until he or she logs off of the system.

Modifying the properties of the root account

If you have an Administrator user role, you can also change some properties of the root account. Specifically, you can change the password of the root account, and you can enable or disable access to the BIG-IP system through SSH.

  1. On the Main tab of the navigation pane, expand System, and click Platform.
  2. For the Root Account setting, type a new password in the Password box, and re-type the new password in the Confirm box.
  3. If you want to grant SSH access, then for the SSH Access setting, select the Enabled checkbox, and for the SSH IP Allow setting, either:
    • Select * All Addresses
    • Select Specify Range and type a range of IP addresses.
  4. Click Update.
    Important: If you have a redundant system configuration and you change the password on the admin account, you must also change the password on the other device group members, to ensure that synchronization of configuration data operates correctly.

Delete local user accounts

If the account you are using has the Administrator or User Manager user role, you can delete other local user accounts. A user with the Administrator role can delete any user account on the BIG-IP system in any partition. A user with the User Manager role can delete user accounts on the BIG-IP system in only those partitions to which she has access.

When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system.

Note: You cannot delete the admin user account, nor can you delete the user account with which you are logged in.
Warning: The Administrator user role provides access to the BIG-IP system prompt. If a user with the Administrator user role is currently logged in to the system and you delete the user account, the user can still run commands at the BIG-IP system command prompt until he or she logs off of the system.

Deleting a local user account

When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system. If the account you are using has the Administrator or User Manager user role, you can delete other local user accounts. A user with the Administrator role can delete any user account on the BIG-IP system in any partition. A user with the User Manager role can delete user accounts on the BIG-IP system in only those partitions to which she has access.

Note: You cannot delete the admin user account, nor can you delete the user account with which you are logged in.
Warning: The Administrator user role provides access to the BIG-IP system prompt. If a user with the Administrator user role is currently logged in to the system and you delete the user account, the user can still run commands at the BIG-IP system command prompt until he or she logs off of the system.
  1. On the Main tab, click System > Users.
  2. In the user-account list, locate the name of the account you want to delete and select the checkbox to the left of the account name.
  3. Click the Delete button.
  4. Click Delete again.

Remote user account management

Rather than store user accounts locally on the BIG-IP system, you can store them on a remote authentication server. In this case, you create all of your standard user accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server’s vendor.

Once you have created each user account on the remote server, you can then use the BIG-IP system to assign authorization properties (user role, partition access, and terminal access) for each account, for the purpose of controlling user access to BIG-IP system resources.

Important: You can assign authorization properties to remotely-stored user accounts on a group basis. You can then use the single configuration file (SCF) feature to propagate those properties to other BIG-IP devices on the network.

The BIG-IP Configuration utility stores all local and remote access control information in the BIG-IP system’s local user-account database. When a user whose account information is stored remotely logs into the BIG-IP system and is granted authentication, the BIG-IP system then checks its local database to determine the access control properties that you assigned to that user.

Note: The BIG-IP Configuration utility refers to remote user accounts as external users. An external user is any user account that is stored on a remote authentication server.
Important: Only users with the role of Administrator can manage user roles for remote user accounts. Also, if a user with a local user account is logged on to the BIG-IP system, and you subsequently switch the system from local authentication to remote authentication, the local user remains authenticated until the user’s login session terminates.

Introduction to remote BIG-IP user accounts

Each BIG-IP system requires one or more administrative user accounts. Rather than store these BIG-IP user accounts locally on the BIG-IP system, you can store BIG-IP user accounts on a remote authentication server. In this case, you create all of your standard BIG-IP user accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server’s vendor. The remote server then performs all authentication of those user accounts.

One of the tasks you perform with the BIG-IP Configuration utility is to specify the type of remote user-account server that currently stores your remote user accounts. The available server types that you can specify are:

  • Active Directory or Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-In User Service (RADIUS)
  • Terminal Access Controller Access-Control System Plus (TACACS+)

To ensure easy management of remotely-stored user accounts, the BIG-IP system automatically creates a single user account named Other External Users. This user account represents all of the remotely-stored BIG-IP user accounts that conform to the default access-control properties defined on the BIG-IP system.

Specifying LDAP or Active Directory server information

Before you begin:
  • Verify that the BIG-IP system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
  • If you want to verify the certificate of the authentication server, import one or more SSL certificates.
You can configure the BIG-IP system to use an LDAP or Microsoft Windows Active Directory server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication.
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - LDAP or Remote - Active Directory.
  5. In the Host field, type the IP address of the remote server. The route domain to which this address pertains must be route domain 0.
  6. For the Port setting, retain the default port number (389) or type a new port number. This number represents the port number that the BIG-IP system uses to access the remote server.
  7. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server. At minimum, you must specify a domain component (that is, dc=[value]).
  8. For the Scope setting, retain the default value (Sub) or select a new value. This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  9. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN field, type the distinguished name for the remote user ID.
    2. In the Password field, type the password for the remote user ID.
    3. In the Confirm field, re-type the password that you typed in the Password field.
  10. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings:
    1. From the SSL CA Certificate list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the SSL Client Key list, select the name of the client SSL key. Use this setting only when the remote server requires that the client present a certificate.
    3. From the SSL Client Certificate list, select the name of the client SSL certificate. Use this setting only if the remote server requires that the client present a certificate.
  11. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  12. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  13. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  14. Click Finished.
You can now authenticate administrative traffic for user accounts that are stored on a remote LDAP or Active Directory server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying RADIUS server information

Before you begin:
  • Verify that the BIG-IP system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a role group that is defined on the remote authentication server. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication.
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - RADIUS.
  5. For the Primary setting:
    1. In the Host field, type the name of the primary RADIUS server. The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the primary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  6. If you set the Server Configuration setting to Primary and Secondary, then for the Secondary setting:
    1. In the Host field, type the name of the secondary RADIUS server. The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the secondary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  7. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  8. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  9. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  10. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote RADIUS server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying TACACS+ server information

Before you begin:
  • Verify that the BIG-IP system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication.
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - TACACS+.
  5. For the Servers setting, type an IP address for the remote TACACS+ server. The route domain to which this address pertains must be route domain 0.
  6. Click Add. The IP address for the remote TACACS+ server appears in the Servers list.
  7. In the Secret field, type the password for access to the TACACS+ server.
    Warning: Do not include the symbol # in the secret. Doing so causes authentication of local user accounts (such as root and admin) to fail.
  8. In the Confirm Secret field, re-type the TACACS+ secret.
  9. From the Encryption list, select an encryption option:
    Option Description
    Enabled Specifies that the system encrypts the TACACS+ packets.
    Disabled Specifies that the system sends unencrypted TACACS+ packets.
  10. In the Service Name field, type the name of the service that the user is requesting to be authenticated to use (usually ppp). Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell, tty-daemon, connection, system, and firewall.
  11. In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Name field. This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown.
  12. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  13. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  14. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  15. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote TACACS+ server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Effects of remote user authorization on user accounts

You can sometimes inadvertently affect your own user account, if the BIG-IP system is configured to perform remote user authentication, and you or another system administrator changes the default role or partition assigned to all external user accounts:

  • If you log in to the BIG-IP system using one of these remotely-authenticated Administrator accounts, and you or another Administrator user modifies the default role of all external accounts from Administrator to a lesser role, the system modifies the user role of your own account to the lesser role. However, the change to your own account does not actually occur until you log out and log in again to the BIG-IP system.
  • Similarly, your user account can be affected if the BIG-IP system is configured to perform remote user authentication, and the default partition assigned to all external user accounts is a specific partition. In this case, if you are logged on to the BIG-IP system through the command line using one of the remotely-authenticated accounts, and another user who is logged on through the BIG-IP Configuration utility modifies the default partition for external users, the BIG-IP system immediately logs you out when you attempt to issue another command.
  • When you specify the type of remote server, you can also configure some server settings. For example, you can specify the user role you would like the BIG-IP system to assign to a remote account if you do not explicitly assign one.
  • Once you have configured the remote server, if you want any of the remote accounts to have a non-default user role, you can explicitly assign a user role to those accounts.
  • If the remote authentication server is an Active Directory or LDAP server and is set up to authenticate SSL traffic, there is an additional feature that you can enable. You can configure the BIG-IP system to perform the server-side SSL handshake that the remote server would normally perform when authenticating client traffic. In this case, there are some preliminary steps you must perform to prepare for remote authentication using SSL.
Important: If a BIG-IP system administrator changes the user role or partition assignment (or both) for any remote user account, the BIG-IP system logs out all users immediately. (A remote user account in this case refers to Other External Users.)

Changing the default remote-account authorization

  1. On the Main tab, click System > Users > Authentication.
  2. Click Change.
  3. From the User Directory list, select Remote - Active Directory, Remote - LDAP, Remote - RADIUS, or Remote - TACACS+.
  4. From the Role list, select a user role. The BIG-IP system assigns this user role to any remote account to which you have not explicitly assigned a user role.
  5. From the Partition Access list, select a partition name.
  6. From the Terminal Access list, select Enabled or Disabled.
  7. Click Update.

Authorization for group-based remote user accounts

If you want to assign the same non-default access control properties to a group of remotely-stored user accounts, you can use the remote role groups feature. This feature stores all access control information on a group-wide basis for remotely-stored user accounts.

After using the remote role groups feature, you can propagate that access-control information to all BIG-IP devices on the network, using the single configuration file (SCF) feature. The remote role groups feature, combined with the SCF feature, removes the need to manually assign access control properties to each individual BIG-IP user within a group, on each BIG-IP device on your network.

You can access the remote role groups feature by logging into the BIG-IP Configuration utility and navigating to System > Users > Remote Role Groups.

Values for the remote role variable

This table lists the allowed values for a variable that you use for defining a role for a remotely-stored user account.

User Role Value
Administrator 0
Resource Administrator  
User Manager 40
Manager 100
Application Editor 300
Operator 400
Guest 700
Application Security Policy Editor 800
No Access 900

About viewing remote user accounts

Using the BIG-IP Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the user account list.

Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.

Displaying a list of remote user accounts with non-default user roles

  1. On the Main tab, click System > Users.
  2. On the menu bar, click Authentication.
  3. Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click User List.
  5. View the list of user accounts. Remote user accounts that are assigned the default user role appear as Other External Users.

Viewing the properties of a remote user account

  1. On the Main tab, click System > Users.
  2. On the menu bar, click Authentication.
  3. Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click User List.
  5. View the list of user accounts. Remote user accounts that are assigned the default user role appear as Other External Users.
  6. In the user-account list, find the user account you want to view and click the account name. This displays the properties of that user account.
    Note: Note: The only properties displayed for a remote user account are the account name, the user role assigned to the account, the account’s partition access, and the account’s terminal access.

About auditing user access to the system

The BIG-IP system generates a log message whenever a user or an application attempts to log in to or log out of the system. The system logs both successful and unsuccessful login attempts. The system stores these log messages in the /var/log/secure file.

When the system logs an authentication message in the /var/log/secure file, the message can contain the following types of information:

  • The connecting user's ID
  • The IP address or host name of the user's interface
  • The time of each login attempt
  • Successful login attempts for command line interface sessions only
  • Failed login attempts for command line interface, BIG-IP Configuration utility, and iControl sessions
  • The time of the logout for command line interface sessions only
This is an example of log messages for both successful and failed login attempts made by user jsmith. May 10 16:25:25 jsmith-dev sshd[13272]: pam_audit: user: jsmith(jsmith) from: /dev/pts/10 at jsmith-dev attempts: 1 in: [Thu May 10 16:25:23 2007 ] out: [Thu May 10 16:25:25 2007 ] May 10 16:14:56 jsmith-dev sshd[716]: pam_audit: User jsmith from ssh at jsmith-dev failed to login after 1 attempts (start: [Thu May 10 16:14:53 2007 ] end: [Thu May 10 16:14:56 2007 ]).
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)