Manual Chapter : Users User Groups Roles and Authentication

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.0.0
Manual Chapter

How do I manage and authorize BIG-IQ users?

As a network or system manager, you need a way to differentiate between users and to limit user access based on how they interact with BIG-IQ and its managed devices. To help you, the BIG-IQ has a default set of roles you can assign to a user.

You can give a user access to specific BIG-IQ system functionality by relating a user with a specific role. Or, you can connect a user with a user group and then associate the group with a role. A role is defined by its specific access rights. A user group is a collection of individuals with access to the same resources with authentication locally on BIG-IQ, or remotely through LDAP or RADIUS. Additional security is provided through bidirectional trust and verification through key and certificate exchange (AuthN and AuthZ).

About authenticating BIG-IQ users with RADIUS and LDAP

By using BIG-IQ® with your LDAP or RADIUS authentication server, you can remotely manage user access based on specific BIG-IQ roles and associated permissions.

Configuring authentication with RADIUS

Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license BIG-IQ®.

The areas that users can access on BIG-IQ are based on the role you assign to each user. You can configure BIG-IQ to verify user credentials against your company's RADIUS server.

Note: You can add two additional backup RADIUS servers in case the primary server is not available for authentication.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click USER MANAGEMENT > Auth Providers .
  5. Click the Add button.
  6. From the Provider Type list, select RADIUS.
  7. In the Name field, type a name for this new provider.
    This must be a unique name and can be a maximum of 152 characters.
  8. In the Host and Port fields, type the RADIUS server's IP address (or fully qualified domain name) and port number for each of the servers you want to configure.

    The primary server is mandatory. A secondary server and tertiary server, which will be used if the primary or secondary servers fail, are optional.

  9. In the Secret field, type the case-sensitive text string used to validate communication.
  10. In the Test User and Test Password fields, type a user and password, then click the Test button to verify BIG-IQ can reach the RADIUS server
  11. Click the Save button.
You can now associate RADIUS server users and groups to BIG-IQ system roles.

Using pre-defined RADIUS groups for authentication

You must have root access to the BIG-IQ system's command line through SSH for this procedure.

Some RADIUS deployments include non-standard, vendor-specific attributes in the dictionary files. For these deployments, you must update the BIG-IQ system's default dictionary. Follow these steps if you want to use pre-defined RADIUS user groups on BIG-IQ.

  1. Copy the TinyRadius .jar file from the BIG-IQ system.
  2. Extract the contents of the TinyRadius .jar file.
  3. Update the file org/tinyradius/dictionary/default_dictionary file, by adding the vendor-specific attributes.
  4. Repack the contents into a new .jar file.
  5. Replace the old TinyRadius .jar on each BIG-IQ system with the new TinyRadius .jar file you created in step 4.

For example:

  1. From a Linux machine, copy the TinyRadius .jar file to your BIG-IQ system by typing: scp <big-iq-user>@<BIG-IQ-Address>:/usr/share/java/TinyRadius-1.0.jar ~/tmp/tinyrad-upgrade/
  2. Extract the file on your Linux Machine by typing: jar -xvf TinyRadius-1.0.jar
  3. Edit the org/tinyradius/dictionary/default_dictionary, adding the vendor-specific attribute.
    rm TinyRadius-1.0.jar
    jar cvf TinyRadius-1.0.jar *
    
  4. Update the jar on the BIG-IQ system by typing: scp TinyRadius-1.0.jar <your_user>@<BIG-IQ address>:/var/tmp/
  5. SSH to the BIG-IQ system and type the following commands:
    mount -o remount,rw /usr
    cp /var/tmp/TinyRadius-1.0.jar /usr/share/java
    mount -o remount,ro /usr
    bigstart restart restjavad
    
  6. Repeat steps 4 and 5 for each BIG-IQ in a HA configuration.
Now you can use the vendor-specific attributes RADIUS to create your user groups on BIG-IQ.

Before integrating BIG-IQ with your LDAP server

Before integrating LDAP authentication with the BIG-IQ® system, you must first perform the following tasks:

  • Use an LDAP browser to review the groups and users in your directory's structure and where they're located in the hierarchy of organizational units (OUs).
  • Decide how you want to map user names.
    • The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people,o=sevenSeas. For example, when you map John Smith's user name with his DN as uid=<jsmith>, ou=people,o=sevenSeas and he logs in as jsmith, he is correctly authenticated with his user name in the directory through his DN.
    • The second option is to allow users to log in with names that do not map directly to their DN by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-I system can validate the user's credentials.
  • Decide which groups in your directory to map into BIG-IQ groups.
    • If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose.
    • If you haven't configured this for your users, you must know the DN for each group.
  • Find out the DN where you can for all users and groups. This is the root bind DN for your directory, defined as as rootDN, when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when it searches for users and groups.
  • Find the host IP address for the LDAP server. The default port is 389, if not specified otherwise.

Configuring authentication with LDAP

BIG-IQ® can verify user credentials against your company's LDAP server (LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory). (The features on BIG-IQ accessible to each user are based on the role assigned to the user.)
Note: You can add multiple LDAP servers to BIG-IQ for authentication.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click USER MANAGEMENT > Auth Providers .
    The Auth Providers screen opens.
  5. Click the Add button.
  6. From the Provider Type list, select LDAP.
  7. In the Name field, type a name for this new provider.
    This must be a unique name and can be a maximum of 152 characters.
  8. In the Host field, type the IP address of your LDAP server.
  9. If your Active Directory server uses a port other than the default, 389, in the Port field, type the number of the alternative port.
  10. If you want BIG-IQ System to use an SSL port to communicate with the LDAP server, for the SSL Enabled setting select the Enabled check box.
    Note that the Port setting automatically changes to 636.
  11. If your LDAP server does not allow anonymous binds, in the Bind User and Bind User Password fields, type the full distinguished names and passwords for users with query access.
  12. In the Root DN field, type the root context that contains users and groups.
    The root context must be a full distinguished name.
  13. From the Authentication Method list, select an option.
    • Simple - Select this option to require a user name and password for authentication.
    • None - Select this option to prompt the LDAP server to ignore the user name and password.
  14. In the Search Scope field, type a number to specify the depth at which searches are made.
    Alternatively, you can specify 0 for search only on the named object or 1 for a one-level search scope.
  15. In the Search Filter field, type the LDAP filter expression that determines how users are found.
    The search filter is determined by your LDAP implementation.
  16. In the Connect Timeout field, type the number of milliseconds after which the BIG-IP system stops trying to connect to the LDAP server.
  17. In the Read Timeout field, type the number of seconds the BIG-IP system will wait for a response to a query.
  18. In the User Display Name Attribute field, type LDAP field to use for the name BIG-IQ System displays.
    When using Active Directory, this is typically displayName.
  19. To direct bind to a distinguished name, in the User Bind Template field, type the name.
    For example, cn={username},ou=people,o=sevenSeas.
    Now, when a user logs in, BIG-IQ System inserts their user name into the template in place of the token, and the resulting distinguished name is used to bind to the directory.
  20. To prompt the LDAP provider to search for groups based on a specific display name attribute, in the Group Display Name Attribute, field type an attribute.
    This attribute is typically cn.
  21. Leave the Group Search Filter at its default query to return all groups under the provided rootDN.
    Alternatively, if you have a large number of groups (more than 100), you can base the search on a specific term by typing a query with a {searchterm} token in this field.

    For example: (&(objectCategory=group)(cn={searchterm}*))

  22. To specify a query for finding a users group, in the Group Membership Filter field, type a query string.
    Use the token {userDN} anywhere that the user's distinguished name should be supplied in the LDAP query.

    You can use a {username} token as a substitute for the user’s login name in a query.

    Leave this setting at the default (|(member={username})(uniqueMember={username})) unless the provider is Active Directory.
  23. To specify a query attribute for finding users in a particular group, in the Group Membership User Attribute field, type the attribute.
    When using Active Directory, use memberof. For example: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)
    For other LDAP directories, use groupMembershipFilter. For example: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)
  24. Select the Perform Test check box to test this provider.
  25. Click the Save button.
The BIG-IQ system now authenticates users against the configured LDAP server.

Changing the default password for the administrator user

When you license and do the initial setup, the BIG-IQ® system to prompt the system to automatically create the administrator user.
For security reasons, it is important to change the administrator role password from the default, admin.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click USER MANAGEMENT > Users .
  5. In the User Name column, click admin.
    The Admin User properties screen opens.
  6. In the Old Password field, type the password.
  7. In the Password and Confirm Password fields, type a new password.
  8. Click the Save button at the bottom of the screen.

Adding a BIG-IQ user

Create a user to provide access to the BIG-IQ system.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click USER MANAGEMENT > Users .
    The inventory of users defined on this BIG-IQ opens.
  5. Click the Add button.
  6. In the User Name field, type the user name for this new user.
  7. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  8. In the Password and Confirm Password fields, type the password for the new user.
  9. To associate this user with an existing user group, select the group from the User Groups list.
  10. From the User Roles list, select a user role to associate with this user.
    Each role has a set of unique privileges.
  11. Click the Save button at the bottom of the screen.
After you add a user, you can associate that user with a role. Associating a user with a role gives the user access to specific BIG-IQ® system resources and features.

Associating a user or user group with a role

Before you can associate a user or user group with a role, you must create a user or user group.
When you associate a user or user group with a role, you define the resources users can view and modify. You can associate multiple roles with a given user.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. From the User Roles list, select a user role to associate with this user.
    Each role has a set of unique privileges.
  5. From the Active Users and Groups list, select the users or user groups to add to this role.
  6. Click the Save button at the bottom of the screen.
This user or user group now has the privileges associated with the role you selected.

Standard user roles shipped with BIG-IQ

BIG-IQ® system ships with several standard roles, which you can assign to individual users.

Role Role Description / Access
Administrator This role has access to all licensing aspects of System Management and Device Management. This includes access for adding individual users, assigning roles, discovering BIG-IP® systems, installing updates, activating licenses, and setting up BIG-IQ® in a high availability (HA) configuration.
ADC Deployer This role has access to deploy and view ADC configuration objects for managed ADC devices.
ADC Editor This role has access to edit all ADC configuration objects.
ADC Manager This role has access to all aspects of ADC, including areas involved in creating, viewing, modifying, and deleting Local Traffic and Network objects.
ADC Viewer This role has view-only access for all ADC objects and features.
Access Auditor This role has access to all Access reports and dashboard.
Access Deployer This role has deploy access to Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor This role has edit access to Access configuration objects. This role cannot discover and deploy devices or policies. This role includes the ability to add, update, and delete pools and pool members from the Access configuration object editor.
Access Manager This role has deploy and edit access to Access configuration objects, and has access to Access Reports and Dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Viewer This role has view-only access to Access configuration objects and tasks for Access devices that have been discovered. This role cannot edit, discover, or deploy devices or policies.
Device Manager This role has access to all aspects of Device Management, including areas involved in device discovery, group creation, licensing, software image management, UCS backups, templates, connectors, certificates, self IP addresses, VLANs, and interfaces.
Fraud Protection Manager This role has access to all aspects of the Fraud Protection Service functionality for Web Client Security.
Fraud Protection View This role has view-only access to all Fraud Protection Service objects for Web Client Security .
Network Security Deploy This role has access to view and deploy Network Security objects.
Network Security Manager This role has access to all aspects of Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Edit This role has access to create, view, and modify objects for Network Security.
Network Security View This role has view-only access to firewall objects for Network Security. This role cannot edit, discover, or deploy devices or policies.
Security Manager This role has access to all aspects of Network Security, Web Application Security, and Web Client Security, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Trust Discovery Import This role manages device trust establishment, service discovery, service import, removal of services and removal of trust.
Web App Security Deployer This role can deploy and view ASM configuration objects for managed ASM devices.
Web App Security Editor This role manages config objects within the ASM module.
Web App Security Manager This role has access to all aspects of Web Application Security, including areas involved in creating, viewing, modifying, and deleting shared and web application-specific security objects.
Web App Security Viewer This role permits read-only access to the ASM module.

Disassociating a user from a role

Use this procedure to disassociate a user from an assigned role.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click USER MANAGEMENT > Users .
    The inventory of users defined on this BIG-IQ opens.
  5. On the Users inventory list, click the name of the user.
    The screen refreshes to display the properties for this user.
  6. From the User Roles list, select the user role to disassociate from this user amd click the X.
    The selected user role is removed from the list of privileges assigned to this user.
  7. Click the Save button to save your changes.
This user no longer has the privileges associated with the role you deleted.

Adding a new user role

In addition to the standard roles that ship with BIG-IQ®, there are some roles specific only to ADC and device management that you can add to your available options. These roles are:

  • Device Viewer - This role has access to view the devices in the group you specify.
  • Pool Member Operator - This role has access to enable, disable, or force offline pool members on pools to which the administrator has granted them access.
  • Virtual Server Operator - This role has access to enable or disable virtual servers to which the administrator has assigned them access.
  1. Log in to the BIG-IQ® system with your user name and password.
  2. At the top left of the screen, select System Management from the BIG-IQ menu.
  3. At the top of the screen, click Inventory.
  4. On the left, click USER MANAGEMENT > Roles .
  5. Click Add.
  6. In the Name field, type a name to identify this new role.
  7. From the Role Type list, select the kind of role you want to add.
    This role has no permissions when you first create it. You have to add permissions after you save the role.
  8. From the Active Users and Groups list, select the user or group you want to associate with this new role.
  9. Click the + sign if you want this role to have access to another user or group, and select the device group from the list.
  10. Click the Save button at the bottom of the screen.