Forum Discussion
smp_86112
Cirrostratus
CirrostratusSystem -> Authentication -> Remote - Active Directory
I am trying to configure our 9.3 LTM System Authentication to use "Remote - Active Directory". The question I can't seem to get a straight answer to is whether the LTM can look at Active Directory group membership to authenticate a user. In my case, there are two crucial considerations:
1) The user accounts who are members of my management Group may not all be in the same OU
2) The user accounts who are members of my management Group are not in the same OU as the Group.
Is this architecture possible, and if so, can you provide specifics or a cleansed example of how the Authentication Configuration screen on the LTM (or GTM or whatever...) should look?
Thanks.
Mark_CuroleNimbostratus
I use the same kind of configuration. BigIp does not use AD for authorization only authentication. You have to add the users you want to have access inside BigIp, one at a time.
I you wanted to do Authorization you could use Radius/IAS.
smp_86112Thanks for your reply.
I am referring only to Authorization. If that's true, that I must add individual users, then I am highly discouraged by F5's Authentication architecture. I have 13 F5 products and if a new user joins the team, I have to log into each device to create an account for them???
A much better solution would be to account for group membership, where I could simply create a group and manage access based on whether or not a user is a member. Every other product I have works in this manner - why not F5?- JRahm
Admin
The lack of authorization has been a glaring shortfall for me as well. I had hoped that with their new administrative domains in 9.4 that this would be addressed, but without remote authorization support, the load on the administrator is even heavier if you choose to use the partitions.
