Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Creating local users when using Remote Authentication

epaalx
Cirrus
Cirrus

‎18-Aug-2011 00:37

Hi F5'ers,

 

I'd like to provision (some) local users even though Remote Authentication (using Radius) is provisioned.

 

F5 removed f5adduser (in 10.1.0), so, what's the sanctioned alternative?

 

R's, Alex.

 

0 Kudos
15 REPLIES 15

JRahm
Community Manager
Community Manager

‎22-Aug-2011 07:11

tmsh create /auth user role shell partition-access encrypted-password|password|prompt-for-password
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

epaalx
Cirrus
Cirrus

‎04-Sep-2011 19:14

"TMOS Management Guide for BIG-IP Systems" says: "Excluding the admin account, the entire set of standard user accounts that you create for BIG-IP system administrators must reside either locally on the BIG-IP system, or remotely on another type of authentication server."

 

So, answer is - it can't be done.
0 Kudos

Willy
Nimbostratus
Nimbostratus

‎13-Nov-2019 07:53

I am a bit confused now,in the top rectangle it is mentioned "can't be done".

The next rectangle provides a command for doing it ?

At this moment we are using version 12.1.3.7. Is there any change ?

We would like to use one extra local user on top of the remote users , to run a script for automated backup with keys.

Point is that we would like to take the server the initiative for the actions.

Anyone a suggestion ?

0 Kudos

Enes_Afsin_Al
MVP
MVP
In response to Willy

‎14-Nov-2019 06:30 - last edited on ‎05-Jun-2023 23:07 by Fog

Hi Willy,

  • Enable "Fallback to Local" (System » Users » Authentication)
  • Create a user (System » Users » User List)
  • Run the below command:
echo "username" >> /config/bigip/auth/localusers
sed -ri 's/(localonlyusers LT_STRING_LIST.*)"/\1 \\{username\\}"/' /etc/confpp.dat

Stefan_Klotz
Cumulonimbus
Cumulonimbus
In response to Enes_Afsin_Al

‎08-Apr-2021 08:01

Hi Enes,

these two commands work perfectly on our system.

But I noticed today (some weeks after implementation), that login with this local user is not possible anymore. I found out, that the changes to your mentioned files were gone. Are these settings maybe not reboot-safe or gets lost during a software update?

Can you please share some details here and is it possible to have these settings persistent?

Thank you!

 

Ciao Stefan 🙂

0 Kudos

Enes_Afsin_Al
MVP
MVP
In response to Enes_Afsin_Al

‎08-Apr-2021 12:26

Hi Stefan,

 

The file /config/bigip/auth/localusers is auto-generated and should not be manually edited. After a system reboot it is expected that this configuration will be lost.

 

You can workaround this, to allow local and remote users to work at all times, by creating a startup script to add the local users to /config/bigip/auth/localusers on every reboot. However, this is not officially developed or supported by F5.

 

REF: https://support.f5.com/csp/article/K11333640

0 Kudos

Stefan_Klotz
Cumulonimbus
Cumulonimbus
In response to Enes_Afsin_Al

‎29-Apr-2021 04:01

Hi Enes,

sorry to bother you again, but this manual configurations gets lost even without touching or rebooting the BIG-IP. I had to re-enter both commands now twice within the last two days!

Any idea, which internal process removes this again? Is automated scripting (via cronjob) the only solution to have these entries permanent?

Thank you!

 

Ciao Stefan 🙂

0 Kudos

jaikumar_f5
MVP
MVP
In response to Enes_Afsin_Al

‎30-Apr-2021 07:35 - last edited on ‎24-Mar-2022 01:07 by Fog

 

 

That is the behavior of the box. Please refer the article K11333640.

To overcome this, you'll have to create a startup script. Which would be on /config/startup.

 

Did you put the entries there & yet you see this issue ?

Also note this is pretty 10 year old thread, please open a new thread so it could be addressed properly.

0 Kudos

Willy
Nimbostratus
Nimbostratus

‎14-Nov-2019 07:49

Hello,

 

I have been looking for the Fallback to Local, in the above screen :

 

Is it possible that this option is not available in 12.1.3.7 ?

 

 

0 Kudos

Enes_Afsin_Al
MVP
MVP
In response to Willy

‎15-Nov-2019 00:52 - last edited on ‎05-Jun-2023 03:13 by Fog

Available from v13.

Can you try this command?

modify /sys db systemauth.fallback.remotetolocal value true

I think, it is not possible in TACACS+ authentication on v12.1.x.

REF: https://support.f5.com/csp/article/K03546096

0 Kudos

Willy
Nimbostratus
Nimbostratus

‎18-Nov-2019 06:31

Hello eaa,

 

Tried to modify the database parameter, and succeeded, but stil not able to create a local user. When I tried to create a user via cli, and then change the password, I still get the answer "Please change the password at the remote authentication server". Also in the GUI there is no extra trace of a field that suggest a local user fallback. Maybe it is easier to plan a migration to version 13.

0 Kudos

jaikumar_f5
MVP
MVP
In response to Willy

‎18-Nov-2019 08:47

There is no fallback authentication.

0 Kudos

Dojs
Cirrostratus
Cirrostratus

‎18-Nov-2019 09:33

Remove the Radius Authentication, create the users and config it again.

0 Kudos

Willy
Nimbostratus
Nimbostratus

‎20-Nov-2019 02:06

Thank you jaikumar_f5 and Dojs for your advice and effort. I will go for the update to a version above 12, it is than a standard feature.

0 Kudos

Sam_Novak
Altostratus
Altostratus

‎02-Nov-2022 07:07

/etc/cron.hourly/localUserInsert

#!/bin/bash
grep myUser /config/bigip/auth/localusers
if [ $? -eq 1 ]; then
	echo myUser >> /config/bigip/auth/localusers
fi

And i'll probably need to recreate it after every upgrade, but that's not a big deal.

0 Kudos
Copyright © 2023 Khoros, LLC