Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Remote User Authentication and Authorization
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Remote authentication and authorization of BIG-IP user accounts

The BIG-IP® system includes a comprehensive solution for managing BIG-IP administrative accounts on your network. With this solution, you can:

Use a remote server to store BIG-IP system user accounts.
The BIG-IP system includes support for using a remote authentication server to store BIG-IP system user accounts. After creating BIG-IP system accounts on the remote server (using the server vendor's instructions), you can configure the BIG-IP system to use remote user authentication and authorization (access control) for that server type.
Assign group-based access.
The BIG-IP system includes an optional feature known as remote role groups. With the remote role groups feature, you can use existing group definitions on the remote server to define the access control properties for users in a group. This feature not only provides more granularity in assigning user privileges, but also removes any need to duplicate remote user accounts on the BIG-IP system for the purpose of assigning those privileges.
Propagate a set of authorization data to multiple BIG-IP systems.
The BIG-IP system includes a tool for propagating BIG-IP system configuration data to multiple BIG-IP devices on the network. This tool is known as the Single Configuration File (SCF) feature.

Task summary

You can configure the BIG-IP® system to authorize user accounts that are stored on a remote authentication server.

Important: If you configure access control settings for group-based accounts (using the remote role groups feature), the BIG-IP system always applies those settings, rather than the default access control settings, to group-based accounts.

The BIG-IP® system supports several types of authentication servers for storing BIG-IP system administrative user accounts. The actual procedure you use to specify the type of remote server differs, depending on the server type.

Task list

Specifying LDAP or Active Directory server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
  • If you want to verify the certificate of the authentication server, import one or more SSL certificates.
You can configure the BIG-IP system to use an LDAP or Microsoft® Windows® Active Directory ®server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based access control. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remotely-stored user group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - LDAP or Remote - Active Directory.
  5. In the Host field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain 0.
  6. For the Port setting, retain the default port number (389) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  7. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At minimum, you must specify a domain component (that is, dc=[value]).
  8. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  9. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN field, type the distinguished name for the remote user ID.
    2. In the Password field, type the password for the remote user ID.
    3. In the Confirm field, re-type the password that you typed in the Password field.
  10. In the User Template field, type a string that contains a variable representing the distinguished name of the user, in the format %s.
    This field can contain only one %s and cannot contain any other format specifiers.
    For example, you can specify a user template such as %s@siterequest.com or uxml:id=%s,ou=people,dc=siterequest,dc=com.
    The result is that when a user attempts to log on, the system replaces %s with the user name specified in the Basic Authentication dialog box, and passes that name as the distinguished name for the bind operation. The system also passes the associated password as the password for the bind operation.
  11. For the Check Member Attribute in Group setting, select the check box if you want the system to check the user's member attribute in the remote LDAP or AD group.
  12. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings:
    1. From the SSL CA Certificate list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the SSL Client Key list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the SSL Client Certificate list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  13. In the Login LDAP Attribute field, type the account name for the LDAP server.
    The value for this option is normally the user ID. However, if the server is a Microsoft® Windows® Active Directory®server, the value must be the account name sAMAccountName (case-sensitive). The default value is none.
  14. From the Client Certificate Name Field list:
    1. Select either a subject alternate name or the subject name (Common Name).
    2. If you select the subject alternate name Other Name, then in the OID field, type an object identifier (OID).
      The OID indicates the format and semantics of the subject alternate name.
  15. For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  16. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  17. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  18. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  19. Click Finished.
You can now authenticate administrative user accounts that are stored on a remote LDAP or Active Directory server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Specifying client certificate LDAP server information

Verify that the required user accounts for the BIG-IP® system exist on the remote authentication server.

For authenticating BIG-IP system user accounts (that is, traffic that passes through the management interface [MGMT]), you can configure the BIG-IP system to authenticate certificates issued by a certificate authority's Online Certificate Status Protocol (OCSP) responder.
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values or locally configured user accounts (which override the default role) that the BIG-IP system applies to any user account that is not part of a remote role group.
  1. On the Main tab, click System > File Management > Apache Certificate List > Import , browse for the certificate file to import, type a name, and click Import.
    The certificate will be added to the Apache Certificate list.
  2. On the Main tab, click System > Users > Authentication .
  3. On the menu bar, click Authentication.
  4. Click Change.
  5. From the User Directory list, select Remote - ClientCert LDAP.
  6. In the Host field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain 0.
  7. For the Port setting, retain the default port number (389) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  8. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the client certificate server.
    At minimum, you must specify a domain component (that is, dc=[value]).
  9. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  10. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN field, type the distinguished name for the remote user ID.
    2. In the Password field, type the password for the remote user ID.
    3. In the Confirm field, re-type the password that you typed in the Password field.
  11. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings:
    1. From the SSL CA Certificate list, select the name of a chain certificate; that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the SSL Client Key list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the SSL Client Certificate list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  12. In the CA Certificate field, type the absolute folder path of apache-ssl-cert fileobject for the CA signing authority.
    The absolute folder path is /Common/<folder path>/<certificate name>. To determine the absolute folder path of the apache-ssl-cert fileobject, click System > File Management > Apache Certificate List and note the target certificate's partition and path.
    Important: Apache certificates can only be stored within /Common.
  13. In the Login Name field, type an LDAP search prefix that will contain the distinguished name (DN) from the user certificate, such as CN.
    This specifies the LDAP attribute to be used as a login name. The default is disabled.
  14. In the Login LDAP Attribute field, type the account name for the LDAP server.
    The value for this option is normally the user ID. However, if the server is a Microsoft® Windows® Active Directory®server, the value must be the account name sAMAccountName (case-sensitive). The default value is none.
  15. In the Login Filter field, type the LDAP attribute that contains the short name of the user.
    This specifies the filter to be applied on the common name (CN) of the client certificate and usually this is the user ID or sAMAccountName. The filter is a regular expression used to extract required information from the CN of the client certificate that is matched against the LDAP search results. The default is disabled.
  16. For the Depth setting, retain the default value (10) or type a new value for verification depth.
  17. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  18. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  19. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  20. Click Finished.
You can now authenticate administrative traffic for user accounts that are stored on a remote client certificate server. If you have no need to configure group-based user authorization, your configuration tasks are complete.

Specifying RADIUS server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a role group that is defined on the remote authentication server. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - RADIUS.
  5. For the Primary setting:
    1. In the Host field, type the name of the primary RADIUS server.
      The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the primary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  6. If you set the Server Configuration setting to Primary and Secondary, then for the Secondary setting:
    1. In the Host field, type the name of the secondary RADIUS server.
      The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the secondary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  7. For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  8. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  9. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  10. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  11. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote RADIUS server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Specifying TACACS+ server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - TACACS+.
  5. For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
  6. For the Servers setting, type an IP address for the remote TACACS+ server.
    The route domain to which this address pertains must be route domain 0.
  7. Click Add.
    The IP address for the remote TACACS+ server appears in the Servers list.
  8. In the Secret field, type the password for access to the TACACS+ server.
    Warning: Do not include the symbol # in the secret. Doing so causes authentication of local user accounts (such as root and admin) to fail.
  9. In the Confirm Secret field, re-type the TACACS+ secret.
  10. From the Encryption list, select an encryption option:
    Option Description
    Enabled Specifies that the system encrypts the TACACS+ packets.
    Disabled Specifies that the system sends unencrypted TACACS+ packets.
  11. In the Service Name field, type the name of the service that the user is requesting to be authenticated to use (usually ppp).
    Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell, tty-daemon, connection, system, and firewall.
  12. In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Name field.
    This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown.
  13. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  14. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  15. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  16. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote TACACS+ server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Configuring access control for remote user groups

You perform this task to assign a user role, a corresponding administrative partition, and a type of terminal access to a remotely-stored group of user accounts. For a given user group, you can assign as many role-partition combinations as you need, as long as each role is associated with a different partition. If the partition you associate with a role is All, this entry might or might not take effect, depending on whether the All designation conflicts with other role-partition combinations for that user group. For any conflicts, line order in the configuration is a consideration. To assign multiple role-partition combinations for a user group, you repeat this task for each combination, specifying the same attribute string for each task.

  1. On the Main tab, click System > Users .
  2. On the menu bar, click Remote Role Groups.
  3. Click Create.
  4. In the Group Name field, type the group name that is defined on the remote authentication server.
    An example of a group name is BigIPOperatorsGroup.
  5. In the Line Order field, type a number.
    This value specifies the order of this access control configuration in the file /config/bigip/auth/remoterole for the named group. The LDAP and Active Directory servers read this file line by line. The order of the information is important; therefore, F5 Networks recommends that you specify a value of 1000 for the first line number. This allows you, in the future, to insert lines before the first line.
  6. In the Attribute String field, type an attribute.
    An example of an attribute string is memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net.
    The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts (excluding any user account for which access control settings are individually configured).
  7. From the Remote Access list, select a value.
    Option Description
    Enabled Choose this value if you want to enable remote access for the defined user group.
    Disabled Choose this value if you want to disable remote access for the defined user group. Note that if you configure multiple instances of this remote role group (one instance for each role-partition pair for the attribute string), then choosing a value of Disabled disables remote access for all user group members, regardless of the remote role group instance.
  8. From the Assigned Role list, select a user role for the remote user group.
  9. From the Partition Access list, select an administrative partition value.
    Option Description
    All Choose this value to give users in the defined group access to their authorized objects in all partitions on the BIG-IP system.
    partition_name Choose a specific partition name to give users in the defined group access to that partition only.
    Common Choose this value to give users in the defined group access to partition Common only.
  10. From the Terminal Access list, select the type of command-line access you want to grant users in the group, if any.
  11. Click Finished or Repeat.
After you perform this task, the user group that you specified has the assigned role, partition access, and terminal access properties assigned to it.

Saving access control settings to a file

You can save the running configuration of the system, including all settings for remote user authentication and authorization, in a flat, text file with a specified name and the extension .scf.
  1. On the BIG-IP® system, access a command-line prompt.
  2. At the prompt, open the Traffic Management Shell by typing the command tmsh.
  3. Type sys save filename .
    sys save myConfiguration053107 creates the file myConfiguration053107.scf in the var/local/scf directory.
    sys save /config/myConfiguration creates the file myConfiguration.scf in the /config directory.
You can now import this file onto other BIG-IP devices on the network.

Importing BIG-IP configuration data onto other BIG-IP systems

You can use the tmsh sys load command to import a single configuration file (SCF), including access control data, onto other BIG-IP® devices on the network.
Note: This task is optional.
  1. On the BIG-IP system on which you created the SCF, access a command-line prompt.
  2. Copy the SCF that you previously created to a location on your network that you can access from the system that you want to configure.
  3. Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure:
    1. Open the SCF in an editor.
    2. Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system.
    3. If necessary, change the passwords for the root and admin accounts using the command user name password none newpassword password .
      Important: When configuring a unit that is part of a redundant system configuration and that is using the SCF from the peer unit, do not modify the root and admin accounts. These accounts must be identical on both units of the redundant system.
    4. Save the edited SCF.
  4. On the BIG-IP system that you want to configure, open the Traffic Management Shell by typing the command tmsh.
  5. Type sys load scf_filename .
    sys load myConfiguration053107.scf saves a backup of the running configuration in the /var/local/scf directory, and then resets the running configuration with the configuration contained in the SCF you are loading.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)