Forum Discussion

HugoRL_337905's avatar
HugoRL_337905
Icon for Nimbostratus rankNimbostratus
Oct 24, 2017

Restricting AD Authentication to Authorized Users Only

Hello, I have an F5 i2000 load balancer, running Version 12.1.2.249.

 

I am configuring AD Authentication for the management interface, but I ran into an issue. AD Authentication is configured to use Role Groups and all is working find. However, I noticed that any domain user is able to log into the device with Administrator rights. How do I restrict unauthorized access? I've setup other devices using AD and LDAP and there are ways to put filters in place to accomplishes this.

 

I am BINDING to AD using user template: %s@mydomain.loc

 

Any advised will be appreciated.

 

Hugo

 

  • The fix to my problem was the settings under "External Users". This group of settings has three settings: Role, Partition Access, and Terminal Access. It looks like these settings control the access restrictions that will apply by default to anyone that is able to authenticate to the remote authenticating server, in my case, the DC.

     

    By default this setting is set to "No Access", but it looks like it was changed in my configuration that is why any domain user was able to log in with Administrator rights. My current settings are (Access Restriction is working):

     

    Role: No Access Partition: All Terminal Access: Disabled

     

    Thanks again.

     

    Hugo

     

  • Hi Hugo,

     

    take a look to the "Login LDAP Attribute" option or to the "Remote Role Groups" configuration.

     

    The "Login LDAP Attribute" option allows you to map the individual AD users to a given local user object. By doing so, the individual AD users will inherit the permissions of the local user object, so that the default permission for authenticated AD users can be set to "No Access".

     

    The "Remote Role Groups" configuration allows you to fetch and map the Group-Memberships from AD, so that a member of a given group get elevated access rigths compared to the default permission for authenticated AD users (aka. "No Access" again)

     

    Cheers, Kai

     

  • The fix to my problem was the settings under "External Users". This group of settings has three settings: Role, Partition Access, and Terminal Access. It looks like these settings control the access restrictions that will apply by default to anyone that is able to authenticate to the remote authenticating server, in my case, the DC.

     

    By default this setting is set to "No Access", but it looks like it was changed in my configuration that is why any domain user was able to log in with Administrator rights. My current settings are (Access Restriction is working):

     

    Role: No Access Partition: All Terminal Access: Disabled

     

    Thanks again.

     

    Hugo