F5 Active Directory Authentication

In this second part,  we will see how to setup Active Directory authentication on the F5 BIGIP. You may also check the blog on LDAP authentication.

Unfortunately, documentation F5’s website is not always very clear and while there is few people who blogged about how to get this to work, I found that the information was never complete and occasionally, quite ambiguous.

So here is a step-by-step guide on how to setup Login authentication against a LDAP database.


REQUIREMENTS: We will setup remote login authentication against an Active Directory (AD) database, as per the following authorization policy:

  1. For LDAP binding we want to use the user’s account rather than a static, administrator account
  2. This is a small company so we want *all other* AD users to have Read Only access to the F5
  3. F5-Administrators Group – users who belong to this group, are full F5 administrators

INGREDIENTS: We will need the following:

  1. Active Directory Server
  2. LDAP Base DN (Distinguished Name)
  3. LDAP Binding credentials
  4. LDAP path of the F5-Administrators AD group
  5. F5 Load balancer

We will gather all this information in step one below.


STEP 1: CONFIGURE AD GROUP MEMBERSHIP

As the LDAP server, I already had a Windows 2003 VM set as a Domain Controller in my lab. In the screenshot below you can see the user accounts and group membership:

We have one user – f5-admin which is a member of the F5-Administrators group.

To get the full LDAP path for the F5-Administrators AD group, we can either use ADSIedit.msc Ms Windows Snap-in or, the following command at the CLI, like so:

  • Full LDAP Distinguished Name: CN=F5-Administrators,CN=Users,DC=home,DC=cm – this will be later used when mapping the access to the Remote Role Groups;
  • Base LDAP Distinguished Name:  DC=home,DC=cm; this populates the Remote Directory Tree field.

STEP 2: CONFIGURE F5 FOR AD AUTHENTICATION

The AD binding account doesn’t have to have administrator privileges; it most however exist in AD. Even more so, our 1st requirement in this scenario is to use the actual user account for LDAP binding.

To that end, we’ll make use of user templates which has the format: %s@<domain.name>Once successfully authenticated, “%s” will get replaced to the username itself. As far as I’m aware, this is the only template you can use.

To fulfil the 2nd Requirement, we need to set the External Users Role, as guestThis section will be matched by all AD users. Additional privileges are added through the Remote Role Groups.

Below is a screenshot of the F5 configuration:


STEP 3: CONFIGURE ACCOUNT PRIVILEGES

Once authentication is completed, the AD account must be mapped to a Remote Role Group (see the tab next to the Authentication tab). Though first, the Remote Role Group must be created.

Remote Role Group in simple terms, is an ordered list of LDAP search criteria for identifying group membership. Once a user is successfully authenticated as part of the AD LDAP database, the system would proceed and try  to match that user against each criteria, line by line, top to bottom and, it will stop at the first match.

Within the F5, these become the main focus for assigning privileges; these will then propagate to the respective members.

Here it is called F5-GUI-Administrators:

Notice the memberof syntax in the group definition! 

NOTE: Should there be no match to a Remote Role Group, the user is assigned the default privileges as set above – see the Authentication Screen – in our case, users will have guest access only.
Thank you,

Rafael A. Couto Cabral • LinkedIn Profile
Cisco​ | F5 | VMware Certified • PRINCE2 Practitioner

Originally posted 2017-10-03 10:15:38.

Related Post

  • 1
    Share

Comments are closed.