Forum Discussion

Abhishek_05_163's avatar
Abhishek_05_163
Icon for Nimbostratus rankNimbostratus
Sep 15, 2014

F5 Authorization

Hi,

Recently I deployed group based authentication via remote-role on by BigIP LTM v10. Basically I created two groups and F5-Admins and F5-Operators and assigned it to Network team and Operations team.

Network team - full access

Operations team - operator rold - enable / disable - nodes / pool

I learned that it is usually my Operation team who clears the cache on F5 to be precise they use this command

delete ltm profile ramcache 

This command requires admin rights to execute

So now we want to retain the current authorization model but want to permit users with operator role to execute this command. Is this possible? if yes can some one please assist me with configuration / commands/ reference

5 Replies

  • i don't believe you can, there is specific set of roles with their rights but nothing to enable certain right through that route.

     

    perhaps you could do something via an external script that kicks off this command from a webserver or such. but from within the F5 profiles you won't.

     

  • Thankyou boneyard. I think we might end up giving admin access to Operations user. External script from web-server is a good idea but we do not want to introduce additional object that we need to build / maintain / troubshoot.

     

    Do you think using a tacacs+ or Radius server can help in this scenario.

     

  • i don't see how, you have a mapping to groups of commands. there is no possibility to create your own group or to include single commands. there aren't many systems that allow that. and somehow the groups and their rights never match with what i need :)

     

  • Hi Abhishek,

     

    It is a best security practice to integrate your LTM with an external authentication service, here you may use Tacacs. Make sure you also have a admin account on your device, just in case if tacacs server goes down you wont loose access.

     

    Regards