auth remote-role
auth remote-role(1) BIG-IP TMSH Manual auth remote-role(1)
NAME
remote-role - Creates remote role information in a file that an LDAP, Active Directory(r), RADIUS, or TACACS+ server reads
to determine the specific access rights to grant to groups of remotely-authenticated users.
MODULE
auth
SYNTAX
Configure the remote-role component within the auth module using the syntax shown in the following sections.
MODIFY
modify remote-role
options:
description [string]
role-info [add | delete | modify | replace-all-with] {
[group-name] {
options:
attribute [string]
console [disabled | tmsh]
description [string]
deny [enabled | disabled]
line-order [integer]
role [acceleration-policy-editor | admin | fraud-protection-manager |
application-editor | auditor | certificate-manager |
firewall-manager | guest | irule-manager | log-manager | manager |
no-access | operator | resource-admin | user-manager |
web-application-security-administrator |
web-application-security-editor | web-application-security-operations-administrator]
user-partition [all | Common | [name] ]
user-partition [%string]
}
}
role-info none
DISPLAY
list remote-role
show running-config remote-role
options:
all-properties
non-default-properties
one-line
DELETE
You cannot delete the remote-role defaults, you can only modify the values of the options.
DESCRIPTION
You can use the remote-role component to grant access to a specific group of remotely-authenticated users without creating
a local user account on the BIG-IP(r) system for each user in the group.
Users assigned the role of Administrator can modify remote roles. Users assigned all other roles can view remote roles.
You can use the variable substitution feature to assign access rights for a group of remote users by specifying a text
string variable that is preceded by a leading % character for the options attribute, console, role and user-partition. For
example, if you define the remote role for the groups DC1 and DC2 as follows:
remote-role {
role info {
dc1 {
attribute "F5-LTM-User-Info-1=DC1"
console %F5-LTM-User-Console
line-order 1
role %F5-LTM-User-Role
user-partition %F5-LTM-User-Partition
}
dc2 {
attribute "F5-LTM-User-Info-1=DC2"
line-order 2
}
}
}
The BIG-IP(r) system attempts to match the value of the attribute option, F5-LTM-User-Info-1=DC1, and then pulls the value
of the console, role and user-partition options from the other variables.
Note: If a variable includes an incorrect value, the system does not authorize the user. Additionally, if you have not
defined the variables, as with the group DC2 above, the system authenticates the user with the following access rights:
console = disabled
role = none
user-partition = none
EXAMPLES
modify remote-role role-info add { my_managers { attribute
"memberOF=cn=BigIPmanagerGroup,cn=users,dc=mydept,dc=mycompany,dc=com" console disabled line-order 1000 role 100 user-
partition all } }
Configures a remote role, named my_managers, for LDAP authentication, by creating the 1000th line of the
/config/bigip/auth/remoterole file, and granting the Manager role (100) in all partitions to the remote users assigned this
role.
modify remote-role role-info add { my_admins { attribute "NS-Admin-Privilege" console tmsh line-order 1000 role 0 user-
partition all } }
Configures a remote role, named my_admins, for LDAP authentication, by creating the 2000th line of the
/config/bigip/auth/remoterole file, and granting the Administrator role (0) in all partitions to the remote users assigned
this role.
modify remote-role role-info add { my_managers { attribute "manager_group=manager" console tmsh line-order 3000 user-
partition all } }
Configures a remote role, named my_managers, for RADIUS or TACACS+ authentication, by creating the 3000th line of the
/config/bigip/auth/remoterole file, and granting the Administrator role (0) in all partitions to the remote users assigned
this role:
OPTIONS
description
Specifies a user-defined description.
role-info
Configures the access rights for a specific group of remotely-authenticated users. You can configure the following
information for a role:
attribute
Specifies an attribute-value pair that an authentication server supplies to the BIG-IP system to match against
entries in /config/bigip/auth/remoterole. The specified pair typically identifies users with access rights in
common. This option is required.
Alternatively, you can use the variable substitution feature (described in the Description section above), and
specify a text string variable that is preceded by a leading % character.
console
Enables or disables console access for the specified group of remotely-authenticated users. The default value is
disabled.
When using variable substitution, as described in the Description section of this man page, the variable for the
console option must be: tmsh.
deny Enables or disables remote access for the specified group of remotely-authenticated users. The default value is
disabled.
description
Specifies a user-defined description.
group-name
Specifies the name of the remote role that you are configuring. This option is required.
line-order
Specifies the number of the first populated line in the file, /config/bigip/auth/remoterole. The LDAP, Active
Directory, RADIUS, and TACACS+ servers read this file line by line. The order of the information is important;
therefore, F5 Networks recommends that you set the first line at 1000. This allows you, in the future, to insert
lines before the first line. This option is required.
role Specifies the role that you want to grant to the specified group of remotely-authenticated users. The default
value is no-access. The available roles are:
admin
fraud-protection-manager
application-editor
certificate-manager
firewall-manager
guest
manager
no-access
operator
resource-admin
web-application-security-administrator
web-application-security-editor
web-application-security-operations-administrator
user-manager
When using variable substitution, as described in the Description section above, the variable for the role option
must evaluate to one of these values: 0 (admin), 20 (resource admin), 40 (user manager), 80 (auditor), 90 (log
manager), 100 (manager), 300 (application editor), 350 (advanced operator), 400 (operator), 450 (firewall
manager), 500 (certificate manager), 510 (irule manager), 700 (guest), 800 (web application security
administrator), 810 (web application security editor), 820 (web application security operations administrator),
850 (acceleration policy editor), 900 (no-access).
user-partition
Specifies the user partition to which you are assigning access to the specified group of remotely-authenticated
users. The default value is Common. This option is required.
Alternatively, you can use the variable substitution feature (described in the Description section above) and
specify a text string variable that is preceded by a leading % character.
SEE ALSO
auth remote-user, auth user, list, modify, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2011, 2013. All rights reserved.
BIG-IP 2020-12-04 auth remote-role(1)