System - Authentication - Remote - Active Directory

Question

I am trying to configure our 9.3 LTM System Authentication to use "Remote - Active Directory". The question I can't seem to get a straight answer to is whether the LTM can look at Active Directory group membership to authenticate a user. In my case, there are two crucial considerations:&nbsp;
&nbsp;1) The user accounts who are members of my management Group may not all be in the same OU
&nbsp;2) The user accounts who are members of my management Group are not in the same OU as the Group.&nbsp;
&nbsp;Is this architecture possible, and if so, can you provide specifics or a cleansed example of how the Authentication Configuration screen on the LTM (or GTM or whatever...) should look?&nbsp;
&nbsp;Thanks.

mark_curole · Answer

I use the same kind of configuration. BigIp does not use AD for authorization only authentication. You have to add the users you want to have access inside BigIp, one at a time.&nbsp;
&nbsp;I you wanted to do Authorization you could use Radius/IAS.&nbsp;&nbsp;

smp_86112 · Answer

Thanks for your reply.&nbsp;
&nbsp;I am referring only to Authorization. If that's true, that I must add individual users, then I am highly discouraged by F5's Authentication architecture. I have 13 F5 products and if a new user joins the team, I have to log into each device to create an account for them???&nbsp;
&nbsp;A much better solution would be to account for group membership, where I could simply create a group and manage access based on whether or not a user is a member. Every other product I have works in this manner - why not F5?

jrahm · Answer

The lack of authorization has been a glaring shortfall for me as well.  I had hoped that with their new administrative domains in 9.4 that this would be addressed, but without remote authorization support, the load on the administrator is even heavier if you choose to use the partitions.

Forum Discussion

System -> Authentication -> Remote - Active Directory

3 Replies

Recent Discussions

SCP / WINSCP - problem copy - not allowed SCP error

APM Local DB multiple groups

mejores practicas para actualizacion de firmas de ataques?

Packet based load balancing instead of connection based (default)

Manipulating Hostname and SNI

Related Content

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

Remote User Authentication (e.g. F5 admins) using Azure Active Directory

Application Programming Interface (API) Authentication types simplified

F5 - System Administration

In search of a security incident response system for the masses