Forum Discussion
epaalx
Cirrus
CirrusCreating local users when using Remote Authentication
Hi F5'ers,
I'd like to provision (some) local users even though Remote Authentication (using Radius) is provisioned.
F5 removed f5adduser (in 10.1.0), so, what's the sanctioned alternative?
R's, Alex.
Sam_NovakAltostratus
/etc/cron.hourly/localUserInsert
#!/bin/bash grep myUser /config/bigip/auth/localusers if [ $? -eq 1 ]; then echo myUser >> /config/bigip/auth/localusers fiAnd i'll probably need to recreate it after every upgrade, but that's not a big deal.
WillyNimbostratus
Thank you jaikumar_f5 and Dojs for your advice and effort. I will go for the update to a version above 12, it is than a standard feature.
DojsCirrostratus
Remove the Radius Authentication, create the users and config it again.
- Willy
Hello eaa,
Tried to modify the database parameter, and succeeded, but stil not able to create a local user. When I tried to create a user via cli, and then change the password, I still get the answer "Please change the password at the remote authentication server". Also in the GUI there is no extra trace of a field that suggest a local user fallback. Maybe it is easier to plan a migration to version 13.
jaikumar_f5MVP
There is no fallback authentication.
- Willy
Hello,
I have been looking for the Fallback to Local, in the above screen :
Is it possible that this option is not available in 12.1.3.7 ?
Available from v13.
Can you try this command?
modify /sys db systemauth.fallback.remotetolocal value trueI think, it is not possible in TACACS+ authentication on v12.1.x.
- Willy
I am a bit confused now,in the top rectangle it is mentioned "can't be done".
The next rectangle provides a command for doing it ?
At this moment we are using version 12.1.3.7. Is there any change ?
We would like to use one extra local user on top of the remote users , to run a script for automated backup with keys.
Point is that we would like to take the server the initiative for the actions.
Anyone a suggestion ?
Hi Willy,
- Enable "Fallback to Local" (System » Users » Authentication)
- Create a user (System » Users » User List)
- Run the below command:
echo "username" >> /config/bigip/auth/localusers sed -ri 's/(localonlyusers LT_STRING_LIST.*)"/\1 \\{username\\}"/' /etc/confpp.dat- jaikumar_f5
That is the behavior of the box. Please refer the article K11333640.
To overcome this, you'll have to create a startup script. Which would be on /config/startup.
Did you put the entries there & yet you see this issue ?
Also note this is pretty 10 year old thread, please open a new thread so it could be addressed properly.
- epaalx"TMOS Management Guide for BIG-IP Systems" says: "Excluding the admin account, the entire set of standard user accounts that you create for BIG-IP system administrators must reside either locally on the BIG-IP system, or remotely on another type of authentication server."
So, answer is - it can't be done. - JRahm
Admin
tmsh create /auth user role shell partition-access encrypted-password|password|prompt-for-password
