For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ArieYank_342073's avatar
ArieYank_342073
Icon for Nimbostratus rankNimbostratus
Jun 11, 2018

AAA for Big-IQ CLI/TMSH Login

Hi, I have tried to use AAA server for authentication and authorization Big-IQ web GUI login. I configured on Big-IQ web GUI and find out that it doesn't work to authenticate user who log in into TMSH/CLI. Is there separate configuration to authenticate user through AAA server for CLI/tmsh?

 

Thank you

 

aaa
application delivery
authentication
BIG-IQ
cli
configuration
login
security
TMSH

1 Reply

  • Clint_Neill_140's avatar
    Clint_Neill_140
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2018

    There doesn't seem to be a documented way to configure AAA for TMSH/CLI from the Big-IQ GUI.

    It looks like Big-IQ is a Java app installed on top of the Red Hat Linux / TMOS platform.

    There's not much you can do to configure the Java Big-IQ function from TMSH or bash so there is little reason to use TMSH/CLI.

    But I wanted to be able to automate password management for the built-in accounts to meet company security requirements for built-in account control and thus wanted CLI access to use the passwd command.

    FYI, this answer pertains to Big-IQ 6.0. Incidentally, Cyberark is the tool in use to periodically and automatically change the password for device built in accounts and it works well with ssh.

    • The company, xxx.com, uses MS AD for LDAP/RBAC. There is a ddd domain defined.
    • There is an AD bind account defined, ldap-F5, used to authenticate users.
    • There is an AD group defined, F5-Admin. Membership in this group allows users admin access to Big-IQ and Big-IPs through the remote-role function.

    I logged into Big-IQ CLI with the built-in admin account. (The default credentials are admin/admin but can be changed via the Big-IQ GUI). I ran the following TMSH commands. Note they will have to be revised to match your local LDAP/AD configuration:

    create auth ldap system-auth bind-dn "CN=ldap-F5,OU=ldap,OU=Service Accounts,DC=ddd,DC=xxx,DC=com" bind-pw  login-attribute samaccountname port msft-gc-ssl search-base-dn DC=xxx,DC=com servers add { gcat.ddd.xxx.com } ssl enabled

    modify auth password-policy max-login-failures 3

    modify auth remote-role role-info add { rmt-role-1 { attribute "memberOf=CN=F5-Admin,OU=Application Groups,OU=Domain Groups,DC=ddd,DC=xxx,DC=com" console tmsh line-order 1101 role admin user-partition All } }

    modify auth source { type active-directory }

    save /sys config

    These commands have no effect on the Big-IQ login. Big-IQ can be made to work with AD/RBAC as well, but that requires a different set up that is done within the Big-IQ GUI. Incidentally, even though MS AD is in use, choosing Active Directory in the GUI did not work with Big-IQ 6.0. F5 Support advised using LDAP and that worked fine.

    One other note, remote users get the TMSH shell. In order to get to a bash shell, you can use command run util bash

    YMMV, but hope this helps someone. It took some effort to work this all out.