CirrusI am trying to set up the web management interface on a 11.6.0 system to authenticate administrators against AD when managing the BigIP. I'd like to know if there's a document out there to help me set this up using CAC card instead of username/password.
Thanks.
EmployeeSince you say "CAC," I will assume you are a federal customer.
There is documentation available, but for a very specific use case that does not yet work for DoD / Federal. If you are attempting to configure multi-factor authentication to management in order meet STIG / SRG requirements, there are other methods that will work for you until TMOS v12 is released.
If you are on a closed circuit network and control your CA, the current implementation may work for you.
If you want more details, please reach out to your account team. Ill shoot you an email.
NimbostratusI was thinking about this as I am in the same boat as far as this potentially becoming a requirement. I think an easy way to do this would be to set up a VS for the F5 management itself and cac-enable that VS using LTM or APM, whichever flavor you choose. Then you still have Radius or username/password as a backup option but never have to use the management IP again except in an emergency when, say, OCSP is down or something.
This works all the way up to version 12.0. However, in the event that TMM is down, you will no longer be able to access your management interface. Otherwise, this works. This issue is currently being worked on to find a resolution.
NimbostratusOk.....we just upgraded to 12.1.0 as we were told this would support using arbitrary fields from the DOD Token certs to authenticate for MC. I have a VIP setup for one environment and hitting that url it does read the cert and prmopts for PIN; it then goes to the 'local' login screen. How do I get it to authenticate the Subject Alternate Name from token to AD for our -admin accts? I have tried various SSL settings/certs....no luck. Do I have to use Client Cert LDAP config?
thanks in advance...