Forum Discussion

daremigio_19877's avatar
daremigio_19877
Icon for Nimbostratus rankNimbostratus
Sep 14, 2015

Can newly created users with Administrator role log-in to BIG-IP even if there is remote authentication configured?

Hi All,

 

This is actually a follow-up question from here: https://devcentral.f5.com/questions/can-i-assign-multiple-roles-in-a-remote-role-group-when-integrating-active-directory-with-big-ip

 

It was indicated that local authentication and remote authentication cannot co-exist. If there is a configured remote authentication, log-ins will be directed to the remote authentication and only the default root (CLI) and admin (GUI) can log-in locally. My question is, if you create new users with an Administrator role locally, can it also log-in locally even if there is remote authentication configured? I just need to know because what if you disabled the default root and admin accounts, and then the remote authentication failed, then no one will be able to log-in locally to the BIG-IP system...

 

Thank you.

 

  • Hi,

     

    When remote authentication is enabled, only root and admin account are authenticated locally.

     

    All other users are authenticated using the remote authentication.

     

    After remote authentication, you can create new users but password field is missing. it allow to create local configuration for remote users like role, terminal access and partition.

     

  • Hi Boneyard,

     

    Thank you for verifying this. It would be a big problem if we disabled the default root and admin accounts and then the remote authentication failed. 0_0 Thank you! :)

     

  • tested this and it works as expected. once you enable remote authentication your existing local accounts / passwords don't function anymore. all requests are forwarded to the remote auth server.

     

    you also can't create any new local admin (or any other) users at that point.

     

    so indeed if you disable your admin / root account then you will be locked out, so don't :)