Forum Discussion

HugoRL_337905's avatar
HugoRL_337905
Icon for Nimbostratus rankNimbostratus
Oct 24, 2017

Restricting AD Authentication to Authorized Users Only

Hello, I have an F5 i2000 load balancer, running Version 12.1.2.249.

 

I am configuring AD Authentication for the management interface, but I ran into an issue. AD Authentication is configured to use Role Groups and all is working find. However, I noticed that any domain user is able to log into the device with Administrator rights. How do I restrict unauthorized access? I've setup other devices using AD and LDAP and there are ways to put filters in place to accomplishes this.

 

I am BINDING to AD using user template: %s@mydomain.loc

 

Any advised will be appreciated.

 

Hugo

 

BIG-IP
security
  • HugoRL_337905's avatar
    HugoRL_337905
    Oct 24, 2017

    The fix to my problem was the settings under "External Users". This group of settings has three settings: Role, Partition Access, and Terminal Access. It looks like these settings control the access restrictions that will apply by default to anyone that is able to authenticate to the remote authenticating server, in my case, the DC.

     

    By default this setting is set to "No Access", but it looks like it was changed in my configuration that is why any domain user was able to log in with Administrator rights. My current settings are (Access Restriction is working):

     

    Role: No Access Partition: All Terminal Access: Disabled

     

    Thanks again.

     

    Hugo

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Oct 24, 2017

    Hi Hugo,

     

    take a look to the "Login LDAP Attribute" option or to the "Remote Role Groups" configuration.

     

    The "Login LDAP Attribute" option allows you to map the individual AD users to a given local user object. By doing so, the individual AD users will inherit the permissions of the local user object, so that the default permission for authenticated AD users can be set to "No Access".

     

    The "Remote Role Groups" configuration allows you to fetch and map the Group-Memberships from AD, so that a member of a given group get elevated access rigths compared to the default permission for authenticated AD users (aka. "No Access" again)

     

    Cheers, Kai

     

  • HugoRL_337905's avatar
    HugoRL_337905
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2017

    The fix to my problem was the settings under "External Users". This group of settings has three settings: Role, Partition Access, and Terminal Access. It looks like these settings control the access restrictions that will apply by default to anyone that is able to authenticate to the remote authenticating server, in my case, the DC.

     

    By default this setting is set to "No Access", but it looks like it was changed in my configuration that is why any domain user was able to log in with Administrator rights. My current settings are (Access Restriction is working):

     

    Role: No Access Partition: All Terminal Access: Disabled

     

    Thanks again.

     

    Hugo