Forum Discussion
Creating local user account
- Feb 14, 2024
Usually, the remote authentication takes precedence unless the servers are not available. In which case, there is a fallback setting that can be configured to use local accounts:
For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
Sadly, your db option only applies to the root and admin users:
-
trueIf this database key is set to true, the root and admin accounts use remote authentication.
-
falseIf this database key is set to false (default), the root and admin accounts use local authentication at all times.
Reference: https://my.f5.com/manage/s/article/K49218438
That said, what you want to accomplish CAN be done, but you would need to modify underlying linux configuration files for pam I suspect. This would not be supported natively by the F5 BIG-IP and 'can' be considered a security risk. Usually local account passwords are not rotated and forced to be reset like remote sources, and if there is a DDoS of the remote server IPs, it would be trivial to perhaps login via a local account.
If you have LOTS of admin / application users accessing the F5 BIG-IP, use remote authentication. If you have a team that 'owns' the F5 BIG-IPs, make sure they always have access to the admin/root users and also make sure that you implement integration such as with Cyberark to rotate out these passwords on a regular basis. Keep in mind, Cyberark does have really nice integrations with Ansible even, so you can automate the retrieval of the current password, some tasks, and then recycling the password once used.
Just some thoughts.
-
Usually, the remote authentication takes precedence unless the servers are not available. In which case, there is a fallback setting that can be configured to use local accounts:
For the Fallback to Local setting, select the check box when you want to allow configuring remote authentication to fall back to the local authentication when the remote server is unavailable.
Sadly, your db option only applies to the root and admin users:
-
trueIf this database key is set to true, the root and admin accounts use remote authentication.
-
falseIf this database key is set to false (default), the root and admin accounts use local authentication at all times.
Reference: https://my.f5.com/manage/s/article/K49218438
That said, what you want to accomplish CAN be done, but you would need to modify underlying linux configuration files for pam I suspect. This would not be supported natively by the F5 BIG-IP and 'can' be considered a security risk. Usually local account passwords are not rotated and forced to be reset like remote sources, and if there is a DDoS of the remote server IPs, it would be trivial to perhaps login via a local account.
If you have LOTS of admin / application users accessing the F5 BIG-IP, use remote authentication. If you have a team that 'owns' the F5 BIG-IPs, make sure they always have access to the admin/root users and also make sure that you implement integration such as with Cyberark to rotate out these passwords on a regular basis. Keep in mind, Cyberark does have really nice integrations with Ansible even, so you can automate the retrieval of the current password, some tasks, and then recycling the password once used.
Just some thoughts.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com