aaa
14 TopicsAPM Local DB multiple groups
Hi, I'm using APM with localdb authentication and performing a group lookup and resource assign ACLs based on the localdb group. It works well with one group and one set of ACLs per group. But what if I want a user to have ACLs from more than one group? do I assign multiple groups to the user? I've sort of tried this but it did not work. Only ACL from one group are applied. Is this sort of functionality supported or is the group field in localdb meant for only one group?81Views0likes3CommentsNeed help to configure F5 Authentication using Windows 2012 Radius server
Hi All, I need help to configure F5 Authentication using Windows 2012Radius server. I need to configure two user(Admin,guest) roles for different AD user groups. Please provide any documentation or videos for configuring this on my office network.392Views0likes2CommentsDUO Security Proxy servers in HA configuration
Has anyone setup HA for the DUO Proxy servers? I don't believe I can use the Radius iApp due to the specific port per DUO application(s)? I can successfully create a radius server with a "direct" server connection association to a single node (DUO Auth Proxy). However, I've been unsuccessful at setting up a HA configuration to include a second DUO Auth Proxy server. I've tried the following manual configurations (both failed): 1. Updated the "direct" server connection to point to a VIP (instead of a node) whereas the VIP was associated to a pool of DUO Auth Proxy servers. Failed (no response from server) 2. Created a new radius server referencing the pool of DUO Auth Proxy servers (not direct server connection). Essentially removing the VIP. Same error as above. *** The pool I used has Priority Grouping to prioritize its local site DUO Auth Proxy server unless its unavailable, then do to the other datacenter for DUO Auth Proxy. I have not setup a persistence profile due to the priority grouping. But, I will try that today. Hoping someone has tried setting up DUO Proxy HA and can provide any helpful insight. Thank you in advance. ~Jeff753Views0likes2CommentsAccess Session Variable in Custom Body of HTTP Auth Server
Hi I created a HTTP Auth Server with Type "Custom Post". Now i need to set a post variable in the Custom Body to the Value of a Session Variable. Is there a way to access a session variable like session.logon.last.username and set the post Variable to this Value? Best Regards sbu347Views0likes2CommentsAAA for Big-IQ CLI/TMSH Login
Hi, I have tried to use AAA server for authentication and authorization Big-IQ web GUI login. I configured on Big-IQ web GUI and find out that it doesn't work to authenticate user who log in into TMSH/CLI. Is there separate configuration to authenticate user through AAA server for CLI/tmsh? Thank you835Views0likes1CommentBIG-IQ 5.2.0 HA Pair, Login Using RADIUS Auth Provider
Hi, We set up Auth Provider for authentication and authorization using RADIUS server. The BIG IQ version is 5.2.0 and in the primary, we can login using account from RADIUS auth provider. Because the BIG-IQ is HA pair, so the configuration from primary is synced to secondary. When we open secondary BIG-IQ, there is RADIUS auth provider selection in login page. But when login using RADIUS server account in secondary BIG-IQ, there is error: What does the error mean? Does anyone can explain to me? Thank you371Views0likes0CommentsCustom attribute in AD behaves as if cached in AD AAA
We've added a custom attribute to Active Directory. We've added a process that sets this attribute to an APM policy via a web API. When the user logs in and it is not set (via Active Directory AAA lookup), we set a value. If the user logs out and in again quickly after this, the new session behaves as if the custom attribute is still not set, when it should be set, and if the user waits a few seconds it all works. I believe (I could be wrong, somethings not right) that the F5 and the web API server are using the same Active Directory server, so I don't believe this is a propagation delay in Active Directory between AD servers. We don't see this behaviour with the password attribute. Is there some caching going on here, or some property of the password attribute that avoids caching either in the F5 APM or AD? The Active Directory AAA has a lot of cache properties, but none of them looked relevant from the documentation. Its a minor issue in the scheme of things but when it happens it is confusing for the end user.168Views0likes1CommentMultiple AAA authetication groups to TACACS
Currently I authenticate to a TACACS for my read/write account. Anyone who needs to manage the LTM will be added to that group. However I need to give auditor access to a group of users. When I great a local account it doesn't allow me to add a password. I can't add them to the group that I'm in because they will have too much access. How to I get the LTM to authenticate a group of users with an auditor role.Solved937Views0likes18CommentsRSA SecurID Multiple domain partitions
hello, I have 2 partition domains sharing the same RSA securid aaa. As the 2 partitions are using the same self-ip, the RSA server does not accept the connection from 2 apm instances at the same time, so the authentication is rejected. did you guys experiment such a scenario ? any idea how to get over this issue ? thank you. O.198Views0likes1Comment