Manual Chapter : Remote User Account Management

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Analytics

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Link Controller

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP PEM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Remote User Account Management

About remote users

Each BIG-IP® system requires one or more administrative user accounts. Rather than store these BIG-IP user accounts locally on the BIG-IP system, you can store BIG-IP user accounts on a remote authentication server, either LDAP, Active Directory, RADIUS, or TACACS+. In this case, you create all of your standard BIG-IP user accounts (including user names and passwords) on the remote server, using the mechanism supplied by that server’s vendor. The remote server then performs all authentication of those user accounts.

To implement access control for remotely-stored BIG-IP user accounts, you can use the BIG-IP Configuration utility or tmsh. You first specify information for the type of remote authentication server, and then you configure these access control properties:

  • User role
  • Partition access
  • Terminal access

To ensure easy management of access control for remote accounts, the BIG-IP system automatically creates a single user account named Other External Users. This user account represents all of the remotely-stored BIG-IP user accounts that conform to the access-control properties defined on the BIG-IP system.

Specifying LDAP or Active Directory server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
  • If you want to verify the certificate of the authentication server, import one or more SSL certificates.
You can configure the BIG-IP system to use an LDAP or Microsoft® Windows® Active Directory ®server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based access control. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remotely-stored user group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - LDAP or Remote - Active Directory.
  5. In the Host field, type the IP address of the remote server.
    The route domain to which this address pertains must be route domain 0.
  6. For the Port setting, retain the default port number (389) or type a new port number.
    This number represents the port number that the BIG-IP system uses to access the remote server.
  7. In the Remote Directory Tree field, type the file location (tree) of the user authentication database on the LDAP or Active Directory server.
    At minimum, you must specify a domain component (that is, dc=[value]).
  8. For the Scope setting, retain the default value (Sub) or select a new value.
    This setting specifies the level of the remote server database that the BIG-IP system should search for user authentication.
  9. For the Bind setting, specify a user ID login for the remote server:
    1. In the DN field, type the distinguished name for the remote user ID.
    2. In the Password field, type the password for the remote user ID.
    3. In the Confirm field, re-type the password that you typed in the Password field.
  10. To enable SSL-based authentication, from the SSL list select Enabled and, if necessary, configure these settings:
    1. From the SSL CA Certificate list, select the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.
    2. From the SSL Client Key list, select the name of the client SSL key.
      Use this setting only when the remote server requires that the client present a certificate.
    3. From the SSL Client Certificate list, select the name of the client SSL certificate.
      Use this setting only if the remote server requires that the client present a certificate.
  11. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  12. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  13. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  14. Click Finished.
You can now authenticate administrative user accounts that are stored on a remote LDAP or Active Directory server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Specifying RADIUS server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a RADIUS server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a role group that is defined on the remote authentication server. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - RADIUS.
  5. For the Primary setting:
    1. In the Host field, type the name of the primary RADIUS server.
      The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the primary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  6. If you set the Server Configuration setting to Primary and Secondary, then for the Secondary setting:
    1. In the Host field, type the name of the secondary RADIUS server.
      The route domain with which this host is associated must be route domain 0.
    2. In the Secret field, type the password for access to the secondary RADIUS server.
    3. In the Confirm field, re-type the RADIUS secret.
  7. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  8. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  9. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  10. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote RADIUS server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Specifying TACACS+ server information

Before you begin:
  • Verify that the BIG-IP® system user accounts have been created on the remote authentication server.
  • Verify that the appropriate user groups, if any, are defined on the remote authentication server.
You can configure the BIG-IP system to use a TACACS+ server for authenticating BIG-IP system user accounts, that is, traffic that passes through the management interface (MGMT).
Important: The values you specify in this procedure for the Role, Partition Access, and Terminal Access settings do not apply to group-based authorization. These values represent the default values that the BIG-IP system applies to any user account that is not part of a remote role group. Also, for the Other External Users user account, you can modify the Role, Partition Access, and Terminal Access settings only when your current partition on the BIG-IP system is set to Common. If you attempt to modify these settings when your current partition is other than Common, the system displays an error message.
  1. On the Main tab, click System > Users > Authentication .
  2. On the menu bar, click Authentication.
  3. Click Change.
  4. From the User Directory list, select Remote - TACACS+.
  5. For the Servers setting, type an IP address for the remote TACACS+ server.
    The route domain to which this address pertains must be route domain 0.
  6. Click Add.
    The IP address for the remote TACACS+ server appears in the Servers list.
  7. In the Secret field, type the password for access to the TACACS+ server.
    Warning: Do not include the symbol # in the secret. Doing so causes authentication of local user accounts (such as root and admin) to fail.
  8. In the Confirm Secret field, re-type the TACACS+ secret.
  9. From the Encryption list, select an encryption option:
    Option Description
    Enabled Specifies that the system encrypts the TACACS+ packets.
    Disabled Specifies that the system sends unencrypted TACACS+ packets.
  10. In the Service Name field, type the name of the service that the user is requesting to be authenticated to use (usually ppp).
    Specifying the service causes the TACACS+ server to behave differently for different types of authentication requests. Examples of service names that you can specify are: ppp, slip, arap, shell, tty-daemon, connection, system, and firewall.
  11. In the Protocol Name field, type the name of the protocol associated with the value specified in the Service Name field.
    This value is usually ip. Examples of protocol names that you can specify are: ip, lcp, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, ftp, http, deccp, osicp, and unknown.
  12. From the Role list, select the user role that you want the BIG-IP system to assign by default to all BIG-IP system user accounts authenticated on the remote server.
  13. From the Partition Access list, select the default administrative partition that all remotely-authenticated BIG-IP system user accounts can access.
  14. From the Terminal Access list, select either of these as the default terminal access option for remotely-authenticated user accounts:
    Option Description
    Disabled Choose this option when you do not want the remotely-stored user accounts to have terminal access to the BIG-IP system.
    tmsh Choose this option when you want the remotely-stored user accounts to have only tmsh access to the BIG-IP system.
  15. Click Finished.
You can now authenticate administrative traffic for BIG-IP system user accounts that are stored on a remote TACACS+ server. If you have no need to configure access control for remotely-stored user groups, your configuration tasks are complete.

Changing the default access control for remote accounts

You perform this task to change the user role, partition access, and terminal access that you want the BIG-IP system to assign by default to all remote users that are members of the user account Other External Users.

  1. On the Main tab, click System > Users > Authentication .
  2. Click Change.
  3. From the User Directory list, select Remote - Active Directory, Remote - LDAP, Remote - RADIUS, or Remote - TACACS+.
  4. From the Role list, select a user role.
    The BIG-IP system assigns this user role to any remote account that is not part of a remote user group to which you have explicitly assigned a user role.
  5. From the Partition Access list, select a partition name.
    All remote user accounts that are members of the BIG-IP account Other External Users can have access to either all partitions or the same individual partition. Individual members of this account cannot have access to different partitions.
  6. From the Terminal Access list, select Enabled or Disabled.
  7. Click Update.
After you perform this task, most BIG-IP user accounts stored on a remote authentication server have the specified user role, as well as partition and console access. Remote accounts that are part of a role group are not subject to these authentication settings.

About remote user groups

On the BIG-IP® system, you can assign access control properties (user role, partition, and terminal access) to any group of BIG-IP user accounts defined on a remote authentication server. You can assign these properties by using either the BIG-IP configuration utility or the Traffic Management Shell (tmsh) to specify the appropriate remote attribute string and line-order for each group of BIG-IP users, along with the access control values you want to assign to the group.

You can configure access control for remote groups of BIG-IP user accounts in these ways:

  • By specifying on the BIG-IP system the relevant attribute string and the role, partition access, and terminal access that you want to assign to the group.
  • By specifying on the BIG-IP system the relevant attribute string and then using variable substitution (tmsh only).
Note: Note that access control for these group-based user accounts is separate from the access control assigned to accounts represented by the BIG-IP user account named Other External Users.

Configuration examples

Because some types of remote servers allow a user to be a member of multiple user groups, configuration of user roles and partitions for BIG-IP ®user groups on those servers can result in conflicts. For example, two separate remote user groups might specify different roles on the same administrative partition. For a user that is a member of both groups, this configuration breaks the BIG-IP rule that a user cannot have two roles for any one partition.

In the case of such conflicts, the BIG-IP system must choose one of the conflicting roles for the user at login time. The primary way that the BIG-IP system makes this choice is by using line order. The line order that you specify within each remote role configuration affects how the system ultimately resolves any conflicts.

By contrast, within a single remote user group, no conflicts occur because the BIG-IP system prevents administrators from assigning more than role to the same partition.

Example 1: Conflicting role-partition entries within a group

The following example shows that two user roles Guest and Certificate Manager are associated with the same partition, A, for the same remote user group, BigIPAdminGroup.

This configuration is invalid because no one user can have more than one role for a specific partition. If an administrative user attempts to implement this configuration, the BIG-IP system disallows the configuration and displays an error message.

    BigIPAdminGroup
             attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local
             console tmsh
             line-order 30
             role guest
             user-partition A
 
             attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local
             console tmsh
             line-order 30
             role manager
             user-partition B
   
             attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local
             console tmsh
             line-order 30
             role certificate manager
             user-partition A
   

Example 2: Conflicting role-partition entries in multiple groups

In the following example, the remote server contains two BIG-IP® user groups BigIPNetworkGroup andBigIPAdminGroup, and the BIG-IP system has three partitions, A, B, and C.

Suppose that user jsmith is a member of both groups. The configuration below shows that on login to the BIG-IP system, user jsmith will clearly be assigned the role of Operator for partition B, and Manager for partition C. But for partition A, there is a conflict, because a user can have only one role per partition on the system, and this configuration attempts to assign the roles of both Manager and Guest for that partition.

To resolve the conflict, the BIG-IP system uses line order to determine which of the conflicting roles to assign to jsmith for partition A. In this case, the system will choose Manager, the role with the lowest line-order number (20).

    BigIPNetworkGroup
            attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 20
            role manager
            user-partition A

            attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 10
            role operator
            user-partition B
            
            attribute memberOF=CN=BigIPNetworkGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 40
            role manager
            user-partition C
   
    BigIPAdminGroup
             attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local
             console tmsh
             line-order 30
             role guest
             user-partition A
 
                     

Example 3: Conflicting role-partition entries due to universal access

In the following example, suppose that user jsmith is a member of three remote user groups: BigIPGuestGroup, BigIPOperatorGroup, and BigipAdminGroup, and the BIG-IP system has three partitions, A, B, and C.

In this configuration, the role specified for BigIPAdminGroup creates a conflict, because some entries specify a particular role for each partition, while BigIPAdminGroup specifies a role of Administrator for all three partitions. To resolve the conflict, the BIG-IP system uses the configured line order.

Because the line order for BigIPAdminGroup is 9 and therefore not the lowest line-order number, the BIG-IP system will ignore the role of Administrator for jsmith, leaving her with a role of Guest on partitions A and C, and Operator on partition B.

BigIPGuestGroup 
            attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 2
            role guest
            user-partition A
        
   BigIPOperatorGroup 
            attribute memberOF=CN=BigIPOperatorGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 10
            role operator
            user-partition B
        
   BigIPAdminGroup 
            attribute memberOF=CN=BigIPAdminGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 9
            role administrator
            user-partition All
        
   BigIPGuestGroup
            attribute memberOF=CN=BigIPGuestGroup,OU=BIP,DC=dean,DC=local
            console tmsh
            line-order 3
            role guest
            user-partition C
   

Configuring access control for remote user groups

You perform this task to assign a user role, a corresponding administrative partition, and a type of terminal access to a remotely-stored group of user accounts. For a given user group, you can assign as many role-partition combinations as you need, as long as each role is associated with a different partition. If the partition you associate with a role is All, this entry might or might not take effect, depending on whether the All designation conflicts with other role-partition combinations for that user group. For any conflicts, line order in the configuration is a consideration. To assign multiple role-partition combinations for a user group, you repeat this task for each combination, specifying the same attribute string for each task.

  1. On the Main tab, click System > Users .
  2. On the menu bar, click Remote Role Groups.
  3. Click Create.
  4. In the Group Name field, type the group name that is defined on the remote authentication server.
    An example of a group name is BigIPOperatorsGroup.
  5. In the Line Order field, type a number.
    This value specifies the order of this access control configuration in the file /config/bigip/auth/remoterole for the named group. The LDAP and Active Directory servers read this file line by line. The order of the information is important; therefore, F5 Networks recommends that you specify a value of 1000 for the first line number. This allows you, in the future, to insert lines before the first line.
  6. In the Attribute String field, type an attribute.
    An example of an attribute string is memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net.
    The BIG-IP system attempts to match this attribute with an attribute on the remote authentication server. On finding a match, the BIG-IP system applies the access control settings defined here to the users in that group. If a match is not found, the system applies the default access control settings to all remotely-stored user accounts (excluding any user account for which access control settings are individually configured).
  7. From the Remote Access list, select a value.
    Option Description
    Enabled Choose this value if you want to enable remote access for the defined user group.
    Disabled Choose this value if you want to disable remote access for the defined user group. Note that if you configure multiple instances of this remote role group (one instance for each role-partition pair for the attribute string), then choosing a value of Disabled disables remote access for all user group members, regardless of the remote role group instance.
  8. From the Assigned Role list, select a user role for the remote user group.
  9. From the Partition Access list, select an administrative partition value.
    Option Description
    All Choose this value to give users in the defined group access to their authorized objects in all partitions on the BIG-IP system.
    partition_name Choose a specific partition name to give users in the defined group access to that partition only.
    Common Choose this value to give users in the defined group access to partition Common only.
  10. From the Terminal Access list, select the type of command-line access you want to grant users in the group, if any.
  11. Click Finished or Repeat.
After you perform this task, the user group that you specified has the assigned role, partition access, and terminal access properties assigned to it.

About variable substitution

As an alternative to using the BIG-IP™ Configuration utility to specify explicit values for access control properties for remote user groups, you can configure the remote server to return a vendor-specific attribute with variables for role, partition access, and console access. You can then assign values to those variables (numeric or alphabetic), and you can use the tmsh remoterole command to perform variable substitution for those access control properties.

For example, suppose that you configure a remote RADIUS authentication server to return the vendor-specific attribute F5-LTM-User-Info-1 = DC1 , along with three variables and their values:

  • F5-LTM-User-Role = 400 (variable)
  • F5-LTM-User-Partition = App_C (variable)
  • F5-LTM-User-Console = 1 (variable)
Note: A user role value of 400 signifies the Operator user role.

The remoterole command can use the attribute F5-LTM-User-Info-1 on which to match. The command can then read the role, user partition, and console values from the three variables, rather than you specifying them explicitly. To do this, you specify each of the three variables on the command line, preceded by the string %, as arguments.

The following shows a sample use of the remoterole command. This sample command matches on the vendor-specific attribute F5-LTM-User-Info-1 and then, using the above variables, assigns a user role of (Operator (400)), access to partition App_C, and tmsh access 1) to any user accounts that are part of Datacenter 1 (DC1):

  tmsh auth remote-role role-info add { DC1 { attribute "F5-LTM-User-Info-1=DC1" console "%F5-LTM-User-Console" role "%F5-LTM-User-Role" user partition 
  "%F5-LTM-User-Partition" line order 1 } }

Values for remote role variables

This table lists the values for the BIG-IP variable F5-LTM-User-Role that you use for defining a role for a remotely-stored user group. For example, a value of 100 to the variable F5-LTM-User-Role indicates the Manager user role.

User Role Value
Administrator 0
Resource-Admin 20
User-Manager 40
Auditor 80
Manager 100
App-Editor 300
Operator 400
Firewall Manager 450
Fraud Protection Manager 480
Certificate-Manager 500
Certificate-Manager 510
Guest 700
Application-Security-Admin 800
Application-Security-Editor 810
Application-Policy-Editor 850
No-Access 900

About terminal access for remote user groups

If you use the Traffic Management Shell (tmsh) remoterole command to configure console access for a user account within a remote user group, the BIG-IP™ system behavior differs depending on the value of the console option:

  • If an attribute string for a remote user group has one or more role-partition pairs assigned to that attribute, and you set the value of the console option to tmsh, then on successful authentication the BIG-IP system grants all users in that user group tmsh access to the BIG-IP system.
  • If you set the value of the console option to disable (or you do not configure the console option) for all role-partition combinations assigned to the same attribute string, then the BIG-IP system denies all users in that user group tmsh access to the BIG-IP system, even on successful authentication. Note that this does not affect user access to the BIG-IP Configuration utility.

Saving access control settings to a file

You can save the running configuration of the system, including all settings for remote user authentication and authorization, in a flat, text file with a specified name and the extension .scf.
  1. On the BIG-IP® system, access a command-line prompt.
  2. At the prompt, open the Traffic Management Shell by typing the command tmsh.
  3. Type sys save filename .
    sys save myConfiguration053107 creates the file myConfiguration053107.scf in the var/local/scf directory.
    sys save /config/myConfiguration creates the file myConfiguration.scf in the /config directory.
You can now import this file onto other BIG-IP devices on the network.

Importing BIG-IP configuration data onto other BIG-IP systems

You can use the tmsh sys load command to import a single configuration file (SCF), including access control data, onto other BIG-IP® devices on the network.
Note: This task is optional.
  1. On the BIG-IP system on which you created the SCF, access a command-line prompt.
  2. Copy the SCF that you previously created to a location on your network that you can access from the system that you want to configure.
  3. Edit the SCF to reflect the management routing and special passwords of the BIG-IP system that you want to configure:
    1. Open the SCF in an editor.
    2. Where necessary, change the values of the management IP address, network mask, management default route, self IP addresses, virtual server IP addresses, routes, default routes, and host name fields to the values for the new system.
    3. If necessary, change the passwords for the root and admin accounts using the command user name password none newpassword password .
      Important: When configuring a unit that is part of a redundant system configuration and that is using the SCF from the peer unit, do not modify the root and admin accounts. These accounts must be identical on both units of the redundant system.
    4. Save the edited SCF.
  4. On the BIG-IP system that you want to configure, open the Traffic Management Shell by typing the command tmsh.
  5. Type sys load scf_filename .
    sys load myConfiguration053107.scf saves a backup of the running configuration in the /var/local/scf directory, and then resets the running configuration with the configuration contained in the SCF you are loading.

About viewing remote user accounts

Using the BIG-IP Configuration utility, you can display a list of those remote user accounts to which you explicitly assigned a non-default user role. If a remote user account has the default role assigned to it, you cannot see that account in the user account list.

Any users who have access to a partition in which remote accounts reside can view a list of remote user accounts.

Displaying a list of remote user accounts

You perform this task to display a list of remotely-stored user accounts.

  1. On the Main tab, click System > Users .
  2. On the menu bar, click Authentication.
  3. Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click User List.
  5. View the list of user accounts. Remote user accounts that are assigned the default user role appear as Other External Users.

Viewing access control properties

  1. On the Main tab, click System > Users .
  2. On the menu bar, click Authentication.
  3. Verify that the User Directory setting specifies a remote authentication server type (Active Directory, LDAP, or RADIUS).
  4. On the menu bar, click User List.
  5. View the list of user accounts. Remote user accounts that are assigned the default user role appear as Other External Users.
  6. In the user account list, find the user account you want to view and click the account name. This displays the properties of that user account.