Forum Discussion
ArieYank_342073
Nimbostratus
NimbostratusAAA for Big-IQ CLI/TMSH Login
Hi,
I have tried to use AAA server for authentication and authorization Big-IQ web GUI login. I configured on Big-IQ web GUI and find out that it doesn't work to authenticate user who log in into TMS...
Clint_Neill_140Nimbostratus
NimbostratusThere doesn't seem to be a documented way to configure AAA for TMSH/CLI from the Big-IQ GUI.
It looks like Big-IQ is a Java app installed on top of the Red Hat Linux / TMOS platform.
There's not much you can do to configure the Java Big-IQ function from TMSH or bash so there is little reason to use TMSH/CLI.
But I wanted to be able to automate password management for the built-in accounts to meet company security requirements for built-in account control and thus wanted CLI access to use the passwd command.
FYI, this answer pertains to Big-IQ 6.0. Incidentally, Cyberark is the tool in use to periodically and automatically change the password for device built in accounts and it works well with ssh.
- The company, xxx.com, uses MS AD for LDAP/RBAC. There is a ddd domain defined.
- There is an AD bind account defined, ldap-F5, used to authenticate users.
- There is an AD group defined, F5-Admin. Membership in this group allows users admin access to Big-IQ and Big-IPs through the remote-role function.
I logged into Big-IQ CLI with the built-in admin account. (The default credentials are admin/admin but can be changed via the Big-IQ GUI). I ran the following TMSH commands. Note they will have to be revised to match your local LDAP/AD configuration:
create auth ldap system-auth bind-dn "CN=ldap-F5,OU=ldap,OU=Service Accounts,DC=ddd,DC=xxx,DC=com" bind-pw login-attribute samaccountname port msft-gc-ssl search-base-dn DC=xxx,DC=com servers add { gcat.ddd.xxx.com } ssl enabledmodify auth password-policy max-login-failures 3modify auth remote-role role-info add { rmt-role-1 { attribute "memberOf=CN=F5-Admin,OU=Application Groups,OU=Domain Groups,DC=ddd,DC=xxx,DC=com" console tmsh line-order 1101 role admin user-partition All } }modify auth source { type active-directory }save /sys configThese commands have no effect on the Big-IQ login. Big-IQ can be made to work with AD/RBAC as well, but that requires a different set up that is done within the Big-IQ GUI. Incidentally, even though MS AD is in use, choosing Active Directory in the GUI did not work with Big-IQ 6.0. F5 Support advised using LDAP and that worked fine.
One other note, remote users get the TMSH shell. In order to get to a bash shell, you can use command run util bash
YMMV, but hope this helps someone. It took some effort to work this all out.