Forum Discussion
AltostratusAllow specific users to access F5's GUI?
Hi guys,
I've configured TACACS (Cisco ISE) for F's GUI authentication. From ISE, I allowed a security AD group access to F5's GUI, and it works.
There is a problem; the AD group has 10 users, but only five users are responsible for managing the F5. How do I configure the F5 to allow these five specific users to access the F5's GUI instead?
Thanks.
4 Replies
SravsAltocumulus
We ran into a similar situation recently. The best way to handle this is to create a separate AD group (something like F5-Admins) that includes only the 5 users who actually need GUI access. Then, in Cisco ISE, update your TACACS policy to reference this new group instead of the broader one with all 10 users.
From there, you can keep your remote-role mapping on the F5 as-is, and only those 5 users will be granted access based on the new group membership. It’s clean, easy to manage, and keeps access tightly controlled.
Alternatively, if you can’t modify AD groups, you could try setting up user-specific remote role entries on the F5 using exact usernames, but that can get messy and is harder to maintain long-term.
- Injeyan_Kostas
Nacreous
Hi SCalNet
You will have to create specific Group per F5 role
SCalNetThe problem is that if i create a new security group in AD, for F5, other users who have permission in Ad and not responsible for F5 can put themselves in that new F5 group. I’d like to have a full control just so other who are not responsible can’t mess around so I look for a way to have a better security/control.
- Injeyan_Kostas
I understand your concern, but I respectfully disagree.
In this scenario, anyone with sufficient permissions in Active Directory can potentially gain access anywhere by adding themselves to the appropriate groups.
However, such actions are auditable and can be tracked.If there’s a fundamental lack of trust among colleagues, relying on local accounts might be a more appropriate solution.
