Authorisation if sysadmins using RADIUS or TACACS

I use radius. Because there is no way to send attributes at this time, our web user role is no access. This blocks anyone without an account defined locally on the box from gaining administrative access (except via the admin/root accounts).

 

 

v9.4.x

 

SYSTEM->USERS->Authentication (remote access policy on this screen)

 

 

 

v9.1.x

 

System->Users->Authentication Source

 

System->Users->Users->Remote Access

 

 

So you are saying that F5 does not support RADIUS authorization for management ?

 

That's correct. All authorization is a function local to the F5 at this time.

That is rubbish.

 

 

Absolutely completely poor quality.

 

 

That's a productive response. You understand that citizen_elah doesn't work for F5 and is taking his own time to try to help you understand and solve your problem? I can't imagine you will get much help with that type of attitude.

 

 

Aaron

Thats fair comment, and I apologise to citizen_elah and I guess yourself. I also don't work for F5, but regularly answer questions in forums for a couple of other products, I personally don't mind if someone expresses frustration.

 

 

I will take the fact that F5 does not have RADIUS and TACACS authrozation support up with F5 management and put a complaint on my blog.

 

 

Thanks for your quick response.

Let's not sling mud, OK?

 

 

Whereas I don't disagree that this is a glaring omission on F5's part, at the end of the day it is of greater importance to meet the application owners needs than the management conveniences of a platform. It's merely an issue of priorities, not quality. F5 apparently has not seen the business value yet or the feature would be there. I do know that this functionality is on the road map, as I have personally requested this functionality at least a dozen times (my sales guy will attest to this)

 

 

Sorry, I missed your post before answering...

 

 

Expressing frustration is commonplace here, but you'll find this is a very polite forum. The majority of users are genuinely interested in building community and go to great lengths to help each other out. I think we all recognize that there are things about the F5 products, or any product really, that are irritating.

I put a post on my blog and raised the issue with my account manager.

 

 

Don MacVittie responded on my blog and indicates that

 

 

1) not enough customers are asking for this to be fixed so other features have higher priority.

 

 

2) authorisation / authorization isn't important.

 

 

So there you have it. I am waiting for a response through official channels but I don't expect to receive any further good news.

 

 

If you want the feature, please start asking your account manager to raise a feature request. (Don't just tell them, make them raise a feature request).

 

 

Greg

Thanks, Greg!

 

 

I don't think Don really indicated that authn/authz aren't important, but F5 does target feature development efforts based on user input, so we appreciate your advice for others to please contact F5 if this feature is important to them.

 

 

The best way to raise visibility for a feature you want is to open a case with F5 Support and ask that it be associated with the appropriate CR (Change Request). A new one will be created if necessary. Many cases posted against a CR raises its visibility in Product Management when the time comes to decide on features for a specific release. If you like, you can contact Support yourself to open a case, rather than having your account manager do so:

 

 

-F5 Product Support

 

...http://websupport.f5.com/ (Click here)

 

...or call Support on 1-888-882-4447

 

...Requires a valid product maintenance contract

 

 

HTH

 

/deb