Forum Discussion
epaalx
Cirrus
CirrusCreating local users when using Remote Authentication
Hi F5'ers,
I'd like to provision (some) local users even though Remote Authentication (using Radius) is provisioned.
F5 removed f5adduser (in 10.1.0), so, what's the sanctioned alternative?
R's, Alex.
- JRahm
Admin
tmsh create /auth user role shell partition-access encrypted-password|password|prompt-for-password 
epaalx"TMOS Management Guide for BIG-IP Systems" says: "Excluding the admin account, the entire set of standard user accounts that you create for BIG-IP system administrators must reside either locally on the BIG-IP system, or remotely on another type of authentication server."
So, answer is - it can't be done.
WillyNimbostratus
I am a bit confused now,in the top rectangle it is mentioned "can't be done".
The next rectangle provides a command for doing it ?
At this moment we are using version 12.1.3.7. Is there any change ?
We would like to use one extra local user on top of the remote users , to run a script for automated backup with keys.
Point is that we would like to take the server the initiative for the actions.
Anyone a suggestion ?
Hi Willy,
- Enable "Fallback to Local" (System » Users » Authentication)
- Create a user (System » Users » User List)
- Run the below command:
echo "username" >> /config/bigip/auth/localusers sed -ri 's/(localonlyusers LT_STRING_LIST.*)"/\1 \\{username\\}"/' /etc/confpp.dat- Stefan_Klotz
Cumulonimbus
Hi Enes,
these two commands work perfectly on our system.
But I noticed today (some weeks after implementation), that login with this local user is not possible anymore. I found out, that the changes to your mentioned files were gone. Are these settings maybe not reboot-safe or gets lost during a software update?
Can you please share some details here and is it possible to have these settings persistent?
Thank you!
Ciao Stefan :)
- Willy
Hello,
I have been looking for the Fallback to Local, in the above screen :
Is it possible that this option is not available in 12.1.3.7 ?
Available from v13.
Can you try this command?
modify /sys db systemauth.fallback.remotetolocal value trueI think, it is not possible in TACACS+ authentication on v12.1.x.
- Willy
Hello eaa,
Tried to modify the database parameter, and succeeded, but stil not able to create a local user. When I tried to create a user via cli, and then change the password, I still get the answer "Please change the password at the remote authentication server". Also in the GUI there is no extra trace of a field that suggest a local user fallback. Maybe it is easier to plan a migration to version 13.
- jaikumar_f5
MVP
There is no fallback authentication.
DojsCirrostratus
Remove the Radius Authentication, create the users and config it again.
- Willy
Thank you jaikumar_f5 and Dojs for your advice and effort. I will go for the update to a version above 12, it is than a standard feature.
Sam_NovakAltostratus
/etc/cron.hourly/localUserInsert
#!/bin/bash grep myUser /config/bigip/auth/localusers if [ $? -eq 1 ]; then echo myUser >> /config/bigip/auth/localusers fiAnd i'll probably need to recreate it after every upgrade, but that's not a big deal.
