Forum Discussion
HugoRL_337905
Nimbostratus
NimbostratusRestricting AD Authentication to Authorized Users Only
Hello, I have an F5 i2000 load balancer, running Version 12.1.2.249.
I am configuring AD Authentication for the management interface, but I ran into an issue. AD Authentication is configured to use Role Groups and all is working find. However, I noticed that any domain user is able to log into the device with Administrator rights. How do I restrict unauthorized access? I've setup other devices using AD and LDAP and there are ways to put filters in place to accomplishes this.
I am BINDING to AD using user template: %s@mydomain.loc
Any advised will be appreciated.
Hugo
The fix to my problem was the settings under "External Users". This group of settings has three settings: Role, Partition Access, and Terminal Access. It looks like these settings control the access restrictions that will apply by default to anyone that is able to authenticate to the remote authenticating server, in my case, the DC.
By default this setting is set to "No Access", but it looks like it was changed in my configuration that is why any domain user was able to log in with Administrator rights. My current settings are (Access Restriction is working):
Role: No Access Partition: All Terminal Access: Disabled
Thanks again.
Hugo
- Kai_Wilke
MVP
Hi Hugo,
take a look to the "Login LDAP Attribute" option or to the "Remote Role Groups" configuration.
The "Login LDAP Attribute" option allows you to map the individual AD users to a given local user object. By doing so, the individual AD users will inherit the permissions of the local user object, so that the default permission for authenticated AD users can be set to "No Access".
The "Remote Role Groups" configuration allows you to fetch and map the Group-Memberships from AD, so that a member of a given group get elevated access rigths compared to the default permission for authenticated AD users (aka. "No Access" again)
Cheers, Kai
HugoRL_337905The fix to my problem was the settings under "External Users". This group of settings has three settings: Role, Partition Access, and Terminal Access. It looks like these settings control the access restrictions that will apply by default to anyone that is able to authenticate to the remote authenticating server, in my case, the DC.
By default this setting is set to "No Access", but it looks like it was changed in my configuration that is why any domain user was able to log in with Administrator rights. My current settings are (Access Restriction is working):
Role: No Access Partition: All Terminal Access: Disabled
Thanks again.
Hugo
