Forum Discussion

Leo_Rodrigues_1's avatar
Leo_Rodrigues_1
Icon for Altocumulus rankAltocumulus
Feb 05, 2015

Big IP LTM - first authenticate against Radius, then with a local account of last resort

Hello.

 

We have a pair of LTM boxes successfully authenticating with a pair of radius servers. I noticed that the local accounts are still available to log in.

 

Is there a way to force the LTM appliance to this behavior for local administrative access?

 

  1. First authenticate with the Radius servers
  2. Only if no Radius servers are available, permit login with any local accounts available as last-resort.

When searching the F5 docs, the Firepass appliance supports the "authentication failover", but I found nothing of the sorts for the LTM.

 

sol10920: Overview of RADIUS authentication failover (FirePass):

 

(https://support.f5.com/kb/en-us/solutions/public/10000/900/sol10920)

 

Thanks!

 

4 Replies

  • Hi Leo,

     

    I believe you are talking about remote authentication to the BigIP? If so, Please check out this manual entry https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/5.html.

     

    After configuring the BigIP for remote authentication the only two accounts that remain local should be root and admin. If you see accounts listed those are considered stub accounts and will just determine what properties and permission the user has when the login.

     

    I'm not aware of any type of "fallback" authentication... the document for Firepass is for auth to the VPN as a user not as an administrator.

     

    -Seth

     

  • Hi Seth.

     

    Yes, remote authentication.

     

    The only remaining user are indeed root and Admin. But the Admin account can still be used to login and administer the boxes even with remote authentication configured.

     

    I would like to disable the Admin account, but only while the Radius servers are available, to maintain the track of who changes what (force the team to use Radius). I would not like to delete the Admin account, because if the radius servers are for some reason down, nobody will be able to log in to the LTM.

     

    The desired behavior would be just like what is available with Cisco AAA. (local accounts are only available to login if the Radius group of radius servers are down).

     

    Thanks.

     

    • Seth_Cooper's avatar
      Seth_Cooper
      Icon for Employee rankEmployee
      Leo, It is not possible to achieve this today. The admin user is always available so you can make sure to have access. You can put in security processes to change the password often and store them in a place that is logged when a user accesses it. You can always submit a RFE to request the ability to disable the admin account. -Seth